Considering removing flags export from dpkg-buildpackage for quantal

Colin Watson cjwatson at
Sat Apr 28 00:39:54 UTC 2012

On #ubuntu-release today we've been discussing the possibility of
removing our hack from dpkg-buildpackage that exports the default output
of dpkg-buildflags in the environment.  This was an ugly hack to start
with, and some months ago we had to make it even more ugly temporarily
but on the general understanding that we would revert the whole lot
after 12.04 and start relying on dpkg-buildflags.

The effects of this change require some analysis; they were certainly
not obvious to me.  Many of the default flags set by dpkg-buildflags are
in fact already the defaults in Ubuntu's compiler:

  -fstack-protector --param=ssp-buffer-size=4
  -Wformat -Wformat-security

-Werror=format-security is output by dpkg-buildflags, but we filter that
out in the dpkg-buildpackage export hack at the moment to avoid causing
lots of build failures in unsuspecting packages.

The last remaining issue for default builds is therefore
-Wl,-Bsymbolic-functions.  This is subtle: we use it (IIRC) as a
performance improvement for shared libraries, and I wouldn't like that
to regress.  It's not trivial to detect whether a library has been built
that way, but after some fiddling I noticed that it shows up in the
output of 'objdump -R': a library built with -Wl,-Bsymbolic-functions
has more entries there.

I'm therefore currently building all of precise/main in a couple of
amd64 cloud instances with our hack removed from dpkg-buildpackage in
the build chroot, with the intention of checking for any build failures,
but also of extracting all the resulting shared libraries, running
'objdump -R' over them, and comparing against the corresponding shared
libraries in the archive.  That should give us a general idea of how
much work it will be to ensure that all shared libraries continue to be
built with -Wl,-Bsymbolic-functions (except where that had already been
disabled for one reason or another).  I hope to be able to report on
this after the weekend.

The other likely effect of removing this export hack is that putting
hardening options in DEB_BUILD_OPTIONS might start working differently.
However, this only affects local builds, and it can be fixed by
modifying packages to support dpkg-buildflags correctly.  This is a
release goal for wheezy
(, so
it's reasonable to expect Debian package maintainers to take patches for

Any other comments?

Colin Watson                                       [cjwatson at]

More information about the ubuntu-devel mailing list