doc/stdenv: hardening flags: add note on conditional support for some flags

author: Robert Scott <code@humanleg.org.uk> 2024-06-05 23:08:07 +0100
committer: Robert Scott <code@humanleg.org.uk> 2024-06-05 23:10:12 +0100
commit: a8062e526cb6448373b95028c4f91800ba108662 (patch)
tree: 17260e904de513879e9325cae319cc210a72e8d6 /doc
parent: 1d6a7e4e59914f0f883af2559a6c4b3c761e7415 (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md
index f3cdb1f2dc0c..368e7be93825 100644
--- a/doc/stdenv/stdenv.chapter.md
+++ b/doc/stdenv/stdenv.chapter.md
@@ -1558,6 +1558,8 @@ Both parameters take a list of flags as strings. The special `"all"` flag can be
 
 For more in-depth information on these hardening flags and hardening in general, refer to the [Debian Wiki](https://wiki.debian.org/Hardening), [Ubuntu Wiki](https://wiki.ubuntu.com/Security/Features), [Gentoo Wiki](https://wiki.gentoo.org/wiki/Project:Hardened), and the [Arch Wiki](https://wiki.archlinux.org/title/Security).
 
+Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don't support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the `NIX_DEBUG` environment variable can be used.
+
 ### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default}
 
 The following flags are enabled by default and might require disabling with `hardeningDisable` if the program to package is incompatible.
author	Robert Scott <code@humanleg.org.uk>	2024-06-05 23:08:07 +0100
committer	Robert Scott <code@humanleg.org.uk>	2024-06-05 23:10:12 +0100
commit	a8062e526cb6448373b95028c4f91800ba108662 (patch)
tree	17260e904de513879e9325cae319cc210a72e8d6 /doc
parent	1d6a7e4e59914f0f883af2559a6c4b3c761e7415 (diff)