debian: enable build hardening features

Debian's build hardening toolchain options produce binary artifacts that are more resistant to compromise. The most visible change for notmuch today is likely to be the addition of the "bindnow" linker flag, which contributes to making the "Global Offset Table" fully read-only. See https://wiki.debian.org/Hardening for more details. Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
author: Daniel Kahn Gillmor <dkg@fifthhorseman.net> 2019-06-10 04:35:03 +0300
committer: David Bremner <david@tethera.net> 2019-06-11 07:24:20 -0300
commit: cd733b079f7038d73cbaa88fa5ade40794f670bd (patch)
tree: 3ce469a676f8beef171b85771845ea090a86eed4 /debian/rules
parent: 00c63bf7364778a75591fe494e029233736af04d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/debian/rules b/debian/rules
index d056edb6..ebd10481 100755
--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,8 @@
 
 python3_all = py3versions -s | xargs -n1 | xargs -t -I {} env {}
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 %:
 	dh $@ --with python2,python3,elpa
author	Daniel Kahn Gillmor <dkg@fifthhorseman.net>	2019-06-10 04:35:03 +0300
committer	David Bremner <david@tethera.net>	2019-06-11 07:24:20 -0300
commit	cd733b079f7038d73cbaa88fa5ade40794f670bd (patch)
tree	3ce469a676f8beef171b85771845ea090a86eed4 /debian/rules
parent	00c63bf7364778a75591fe494e029233736af04d (diff)