On Friday, July 10, 2020 7:06 PM, Eli Schwartz via arch-dev-public <arch-dev-public@xxxxxxxxxxxxx> wrote: > On 7/10/20 2:38 PM, Jan Alexander Steffens (heftig) via arch-dev-public > wrote: > > > From: "Jan Alexander Steffens (heftig)" heftig@xxxxxxxxxxxxx > > I recently read Fedora's documentation on build flags and I think > > they have some useful ideas. > > > > 1. Move -D_FORTIFY_SOURCE=2 from CPPFLAGS to CFLAGS using -Wp: > > Unfortunately, there are still build systems (e.g. CMake, homegrown > > Makefile rules) which use CFLAGS but not CPPFLAGS. Ultimately, we can > > cover more code with this workaround. > > > > Sounds like a job for > > build() { > export CFLAGS="$CPPFLAGS $CFLAGS" > ... > } > > (I do not understand how -Wp, helps here, its purpose is only to prevent > the compiler driver from reinterpreting it before passing it to the > preprocessor, and only if you have special needs and believe it will > mangle your flags. -D_FORTIFY_SOURCE sounds sufficiently boring to say > it won't be mangled.) IIRC main concern against -D_FORTIFY_SOURCE in CFLAGS (made by Allan?) was about purity of passing preprocessor flags only to preprocessor. I think using "Wp" prefix for fortify solves purity issue. Side note: can you get rid of "-march=x86-64 -mtune=generic" which are default options for gcc on x86_64? It would be easier to read buildflags without this useless spam especially when they will be extended by other meaningful things. Yours sincerely G. K.