1dpkg-buildflags(1)                dpkg suite                dpkg-buildflags(1)
2
3
4

NAME

6       dpkg-buildflags - returns build flags to use during package build
7

SYNOPSIS

9       dpkg-buildflags [option...] [command]
10

DESCRIPTION

12       dpkg-buildflags is a tool to retrieve compilation flags to use during
13       build of Debian packages.
14
15       The default flags are defined by the vendor but they can be
16       extended/overridden in several ways:
17
18       1.  system-wide with /etc/dpkg/buildflags.conf;
19
20       2.  for the current user with $XDG_CONFIG_HOME/dpkg/buildflags.conf
21           where $XDG_CONFIG_HOME defaults to $HOME/.config;
22
23       3.  temporarily by the user with environment variables (see section
24           ENVIRONMENT);
25
26       4.  dynamically by the package maintainer with environment variables
27           set via debian/rules (see section ENVIRONMENT).
28
29       The configuration files can contain four types of directives:
30
31       SET flag value
32           Override the flag named flag to have the value value.
33
34       STRIP flag value
35           Strip from the flag named flag all the build flags listed in value.
36
37       APPEND flag value
38           Extend the flag named flag by appending the options given in value.
39           A space is prepended to the appended value if the flag's current
40           value is non-empty.
41
42       PREPEND flag value
43           Extend the flag named flag by prepending the options given in
44           value.  A space is appended to the prepended value if the flag's
45           current value is non-empty.
46
47       The configuration files can contain comments on lines starting with a
48       hash (#). Empty lines are also ignored.
49

COMMANDS

51       --dump
52           Print to standard output all compilation flags and their values. It
53           prints one flag per line separated from its value by an equal sign
54           (“flag=value”). This is the default action.
55
56       --list
57           Print the list of flags supported by the current vendor (one per
58           line). See the SUPPORTED FLAGS section for more information about
59           them.
60
61       --status
62           Display any information that can be useful to explain the behaviour
63           of dpkg-buildflags (since dpkg 1.16.5): relevant environment
64           variables, current vendor, state of all feature flags.  Also print
65           the resulting compiler flags with their origin.
66
67           This is intended to be run from debian/rules, so that the build log
68           keeps a clear trace of the build flags used. This can be useful to
69           diagnose problems related to them.
70
71       --export=format
72           Print to standard output commands that can be used to export all
73           the compilation flags for some particular tool. If the format value
74           is not given, sh is assumed. Only compilation flags starting with
75           an upper case character are included, others are assumed to not be
76           suitable for the environment. Supported formats:
77
78           sh  Shell commands to set and export all the compilation flags in
79               the environment. The flag values are quoted so the output is
80               ready for evaluation by a shell.
81
82           cmdline
83               Arguments to pass to a build program's command line to use all
84               the compilation flags (since dpkg 1.17.0). The flag values are
85               quoted in shell syntax.
86
87           configure
88               This is a legacy alias for cmdline.
89
90           make
91               Make directives to set and export all the compilation flags in
92               the environment. Output can be written to a Makefile fragment
93               and evaluated using an include directive.
94
95       --get flag
96           Print the value of the flag on standard output. Exits with 0 if the
97           flag is known otherwise exits with 1.
98
99       --origin flag
100           Print the origin of the value that is returned by --get. Exits with
101           0 if the flag is known otherwise exits with 1. The origin can be
102           one of the following values:
103
104           vendor
105               the original flag set by the vendor is returned;
106
107           system
108               the flag is set/modified by a system-wide configuration;
109
110           user
111               the flag is set/modified by a user-specific configuration;
112
113           env the flag is set/modified by an environment-specific
114               configuration.
115
116       --query
117           Print any information that can be useful to explain the behaviour
118           of the program: current vendor, relevant environment variables,
119           feature areas, state of all feature flags, and the compiler flags
120           with their origin (since dpkg 1.19.0).
121
122           For example:
123
124            Vendor: Debian
125            Environment:
126             DEB_CFLAGS_SET=-O0 -Wall
127
128            Area: qa
129            Features:
130             bug=no
131             canary=no
132
133            Area: reproducible
134            Features:
135             timeless=no
136
137            Flag: CFLAGS
138            Value: -O0 -Wall
139            Origin: env
140
141            Flag: CPPFLAGS
142            Value: -D_FORTIFY_SOURCE=2
143            Origin: vendor
144
145       --query-features area
146           Print the features enabled for a given area (since dpkg 1.16.2).
147           The only currently recognized areas on Debian and derivatives are
148           future, qa, reproducible, sanitize and hardening, see the FEATURE
149           AREAS section for more details.  Exits with 0 if the area is known
150           otherwise exits with 1.
151
152           The output is in RFC822 format, with one section per feature.  For
153           example:
154
155            Feature: pie
156            Enabled: yes
157
158            Feature: stackprotector
159            Enabled: yes
160
161       --help
162           Show the usage message and exit.
163
164       --version
165           Show the version and exit.
166

SUPPORTED FLAGS

168       CFLAGS
169           Options for the C compiler. The default value set by the vendor
170           includes -g and the default optimization level (-O2 usually, or -O0
171           if the DEB_BUILD_OPTIONS environment variable defines noopt).
172
173       CPPFLAGS
174           Options for the C preprocessor. Default value: empty.
175
176       CXXFLAGS
177           Options for the C++ compiler. Same as CFLAGS.
178
179       OBJCFLAGS
180           Options for the Objective C compiler. Same as CFLAGS.
181
182       OBJCXXFLAGS
183           Options for the Objective C++ compiler. Same as CXXFLAGS.
184
185       GCJFLAGS
186           Options for the GNU Java compiler (gcj). A subset of CFLAGS.
187
188       DFLAGS
189           Options for the D compiler (ldc or gdc). Since dpkg 1.20.6.
190
191       FFLAGS
192           Options for the Fortran 77 compiler. A subset of CFLAGS.
193
194       FCFLAGS
195           Options for the Fortran 9x compiler. Same as FFLAGS.
196
197       LDFLAGS
198           Options passed to the compiler when linking executables or shared
199           objects (if the linker is called directly, then -Wl and , have to
200           be stripped from these options). Default value: empty.
201
202       New flags might be added in the future if the need arises (for example
203       to support other languages).
204

FEATURE AREAS

206       Each area feature can be enabled and disabled in the DEB_BUILD_OPTIONS
207       and DEB_BUILD_MAINT_OPTIONS environment variable's area value with the
208+’ and ‘-’ modifier.  For example, to enable the hardening “pie”
209       feature and disable the “fortify” feature you can do this in
210       debian/rules:
211
212           export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify
213
214       The special feature all (valid in any area) can be used to enable or
215       disable all area features at the same time.  Thus disabling everything
216       in the hardening area and enabling only “format” and “fortify” can be
217       achieved with:
218
219           export DEB_BUILD_MAINT_OPTIONS=hardening=-all,+format,+fortify
220
221   future
222       Several compile-time options (detailed below) can be used to enable
223       features that should be enabled by default, but cannot due to backwards
224       compatibility reasons.
225
226       lfs This setting (disabled by default) enables Large File Support on
227           32-bit architectures where their ABI does not include LFS by
228           default, by adding -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 to
229           CPPFLAGS.
230
231   qa
232       Several compile-time options (detailed below) can be used to help
233       detect problems in the source code or build system.
234
235       bug This setting (disabled by default) adds any warning option that
236           reliably detects problematic source code. The warnings are fatal.
237           The only currently supported flags are CFLAGS and CXXFLAGS with
238           flags set to -Werror=array-bounds, -Werror=clobbered,
239           -Werror=implicit-function-declaration and
240           -Werror=volatile-register-var.
241
242       canary
243           This setting (disabled by default) adds dummy canary options to the
244           build flags, so that the build logs can be checked for how the
245           build flags propagate and to allow finding any omission of normal
246           build flag settings.  The only currently supported flags are
247           CPPFLAGS, CFLAGS, OBJCFLAGS, CXXFLAGS and OBJCXXFLAGS with flags
248           set to -D__DEB_CANARY_flag_random-id__, and LDFLAGS set to
249           -Wl,-z,deb-canary-random-id.
250
251   sanitize
252       Several compile-time options (detailed below) can be used to help
253       sanitize a resulting binary against memory corruptions, memory leaks,
254       use after free, threading data races and undefined behavior bugs.
255       Note: these options should not be used for production builds as they
256       can reduce reliability for conformant code, reduce security or even
257       functionality.
258
259       address
260           This setting (disabled by default) adds -fsanitize=address to
261           LDFLAGS and -fsanitize=address -fno-omit-frame-pointer to CFLAGS
262           and CXXFLAGS.
263
264       thread
265           This setting (disabled by default) adds -fsanitize=thread to
266           CFLAGS, CXXFLAGS and LDFLAGS.
267
268       leak
269           This setting (disabled by default) adds -fsanitize=leak to LDFLAGS.
270           It gets automatically disabled if either the address or the thread
271           features are enabled, as they imply it.
272
273       undefined
274           This setting (disabled by default) adds -fsanitize=undefined to
275           CFLAGS, CXXFLAGS and LDFLAGS.
276
277   hardening
278       Several compile-time options (detailed below) can be used to help
279       harden a resulting binary against memory corruption attacks, or provide
280       additional warning messages during compilation.  Except as noted below,
281       these are enabled by default for architectures that support them.
282
283       format
284           This setting (enabled by default) adds -Wformat
285           -Werror=format-security to CFLAGS, CXXFLAGS, OBJCFLAGS and
286           OBJCXXFLAGS.  This will warn about improper format string uses, and
287           will fail when format functions are used in a way that represent
288           possible security problems. At present, this warns about calls to
289           printf and scanf functions where the format string is not a string
290           literal and there are no format arguments, as in printf(foo);
291           instead of printf("%s", foo); This may be a security hole if the
292           format string came from untrusted input and contains ‘%n’.
293
294       fortify
295           This setting (enabled by default) adds -D_FORTIFY_SOURCE=2 to
296           CPPFLAGS. During code generation the compiler knows a great deal of
297           information about buffer sizes (where possible), and attempts to
298           replace insecure unlimited length buffer function calls with
299           length-limited ones. This is especially useful for old, crufty
300           code.  Additionally, format strings in writable memory that contain
301           ‘%n’ are blocked. If an application depends on such a format
302           string, it will need to be worked around.
303
304           Note that for this option to have any effect, the source must also
305           be compiled with -O1 or higher. If the environment variable
306           DEB_BUILD_OPTIONS contains noopt, then fortify support will be
307           disabled, due to new warnings being issued by glibc 2.16 and later.
308
309       stackprotector
310           This setting (enabled by default if stackprotectorstrong is not in
311           use) adds -fstack-protector --param=ssp-buffer-size=4 to CFLAGS,
312           CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS.
313           This adds safety checks against stack overwrites. This renders many
314           potential code injection attacks into aborting situations. In the
315           best case this turns code injection vulnerabilities into denial of
316           service or into non-issues (depending on the application).
317
318           This feature requires linking against glibc (or another provider of
319           __stack_chk_fail), so needs to be disabled when building with
320           -nostdlib or -ffreestanding or similar.
321
322       stackprotectorstrong
323           This setting (enabled by default) adds -fstack-protector-strong to
324           CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and
325           FCFLAGS.  This is a stronger variant of stackprotector, but without
326           significant performance penalties.
327
328           Disabling stackprotector will also disable this setting.
329
330           This feature has the same requirements as stackprotector, and in
331           addition also requires gcc 4.9 and later.
332
333       relro
334           This setting (enabled by default) adds -Wl,-z,relro to LDFLAGS.
335           During program load, several ELF memory sections need to be written
336           to by the linker. This flags the loader to turn these sections
337           read-only before turning over control to the program. Most notably
338           this prevents GOT overwrite attacks. If this option is disabled,
339           bindnow will become disabled as well.
340
341       bindnow
342           This setting (disabled by default) adds -Wl,-z,now to LDFLAGS.
343           During program load, all dynamic symbols are resolved, allowing for
344           the entire PLT to be marked read-only (due to relro above). The
345           option cannot become enabled if relro is not enabled.
346
347       pie This setting (with no global default since dpkg 1.18.23, as it is
348           enabled by default now by gcc on the amd64, arm64, armel, armhf,
349           hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mipsel,
350           mips64el, powerpc, ppc64, ppc64el, riscv64, s390x, sparc and
351           sparc64 Debian architectures) adds the required options to enable
352           or disable PIE via gcc specs files, if needed, depending on whether
353           gcc injects on that architecture the flags by itself or not.  When
354           the setting is enabled and gcc injects the flags, it adds nothing.
355           When the setting is enabled and gcc does not inject the flags, it
356           adds -fPIE (via /usr/share/dpkg/pie-compiler.specs) to CFLAGS,
357           CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS, and
358           -fPIE -pie (via /usr/share/dpkg/pie-link.specs) to LDFLAGS.  When
359           the setting is disabled and gcc injects the flags, it adds -fno-PIE
360           (via /usr/share/dpkg/no-pie-compile.specs) to CFLAGS, CXXFLAGS,
361           OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS, and -fno-PIE
362           -no-pie (via /usr/share/dpkg/no-pie-link.specs) to LDFLAGS.
363
364           Position Independent Executable are needed to take advantage of
365           Address Space Layout Randomization, supported by some kernel
366           versions. While ASLR can already be enforced for data areas in the
367           stack and heap (brk and mmap), the code areas must be compiled as
368           position-independent. Shared libraries already do this (-fPIC), so
369           they gain ASLR automatically, but binary .text regions need to be
370           build PIE to gain ASLR. When this happens, ROP (Return Oriented
371           Programming) attacks are much harder since there are no static
372           locations to bounce off of during a memory corruption attack.
373
374           PIE is not compatible with -fPIC, so in general care must be taken
375           when building shared objects. But because the PIE flags emitted get
376           injected via gcc specs files, it should always be safe to
377           unconditionally set them regardless of the object type being
378           compiled or linked.
379
380           Static libraries can be used by programs or other shared libraries.
381           Depending on the flags used to compile all the objects within a
382           static library, these libraries will be usable by different sets of
383           objects:
384
385           none
386               Cannot be linked into a PIE program, nor a shared library.
387
388           -fPIE
389               Can be linked into any program, but not a shared library
390               (recommended).
391
392           -fPIC
393               Can be linked into any program and shared library.
394
395           If there is a need to set these flags manually, bypassing the gcc
396           specs injection, there are several things to take into account.
397           Unconditionally and explicitly passing -fPIE, -fpie or -pie to a
398           build-system using libtool is safe as these flags will get stripped
399           when building shared libraries.  Otherwise on projects that build
400           both programs and shared libraries you might need to make sure that
401           when building the shared libraries -fPIC is always passed last (so
402           that it overrides any previous -PIE) to compilation flags such as
403           CFLAGS, and -shared is passed last (so that it overrides any
404           previous -pie) to linking flags such as LDFLAGS. Note: This should
405           not be needed with the default gcc specs machinery.
406
407           Additionally, since PIE is implemented via a general register, some
408           register starved architectures (but not including i386 anymore
409           since optimizations implemented in gcc >= 5) can see performance
410           losses of up to 15% in very text-segment-heavy application
411           workloads; most workloads see less than 1%. Architectures with more
412           general registers (e.g. amd64) do not see as high a worst-case
413           penalty.
414
415   reproducible
416       The compile-time options detailed below can be used to help improve
417       build reproducibility or provide additional warning messages during
418       compilation. Except as noted below, these are enabled by default for
419       architectures that support them.
420
421       timeless
422           This setting (enabled by default) adds -Wdate-time to CPPFLAGS.
423           This will cause warnings when the __TIME__, __DATE__ and
424           __TIMESTAMP__ macros are used.
425
426       fixfilepath
427           This setting (enabled by default) adds
428           -ffile-prefix-map=BUILDPATH=.  to CFLAGS, CXXFLAGS, OBJCFLAGS,
429           OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS where BUILDPATH is set to
430           the top-level directory of the package being built.  This has the
431           effect of removing the build path from any generated file.
432
433           If both fixdebugpath and fixfilepath are set, this option takes
434           precedence, because it is a superset of the former.
435
436       fixdebugpath
437           This setting (enabled by default) adds
438           -fdebug-prefix-map=BUILDPATH=.  to CFLAGS, CXXFLAGS, OBJCFLAGS,
439           OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS where BUILDPATH is set to
440           the top-level directory of the package being built.  This has the
441           effect of removing the build path from any generated debug symbols.
442

ENVIRONMENT

444       There are 2 sets of environment variables doing the same operations,
445       the first one (DEB_flag_op) should never be used within debian/rules.
446       It's meant for any user that wants to rebuild the source package with
447       different build flags. The second set (DEB_flag_MAINT_op) should only
448       be used in debian/rules by package maintainers to change the resulting
449       build flags.
450
451       DEB_flag_SET
452       DEB_flag_MAINT_SET
453           This variable can be used to force the value returned for the given
454           flag.
455
456       DEB_flag_STRIP
457       DEB_flag_MAINT_STRIP
458           This variable can be used to provide a space separated list of
459           options that will be stripped from the set of flags returned for
460           the given flag.
461
462       DEB_flag_APPEND
463       DEB_flag_MAINT_APPEND
464           This variable can be used to append supplementary options to the
465           value returned for the given flag.
466
467       DEB_flag_PREPEND
468       DEB_flag_MAINT_PREPEND
469           This variable can be used to prepend supplementary options to the
470           value returned for the given flag.
471
472       DEB_BUILD_OPTIONS
473       DEB_BUILD_MAINT_OPTIONS
474           These variables can be used by a user or maintainer to
475           disable/enable various area features that affect build flags.  The
476           DEB_BUILD_MAINT_OPTIONS variable overrides any setting in the
477           DEB_BUILD_OPTIONS feature areas.  See the FEATURE AREAS section for
478           details.
479
480       DEB_VENDOR
481           This setting defines the current vendor.  If not set, it will
482           discover the current vendor by reading /etc/dpkg/origins/default.
483
484       DEB_BUILD_PATH
485           This variable sets the build path (since dpkg 1.18.8) to use in
486           features such as fixdebugpath so that they can be controlled by the
487           caller.  This variable is currently Debian and derivatives-
488           specific.
489
490       DPKG_COLORS
491           Sets the color mode (since dpkg 1.18.5).  The currently accepted
492           values are: auto (default), always and never.
493
494       DPKG_NLS
495           If set, it will be used to decide whether to activate Native
496           Language Support, also known as internationalization (or i18n)
497           support (since dpkg 1.19.0).  The accepted values are: 0 and 1
498           (default).
499

FILES

501   Configuration files
502       /etc/dpkg/buildflags.conf
503           System wide configuration file.
504
505       $XDG_CONFIG_HOME/dpkg/buildflags.conf or
506       $HOME/.config/dpkg/buildflags.conf
507           User configuration file.
508
509   Packaging support
510       /usr/share/dpkg/buildflags.mk
511           Makefile snippet that will load (and optionally export) all flags
512           supported by dpkg-buildflags into variables (since dpkg 1.16.1).
513

EXAMPLES

515       To pass build flags to a build command in a Makefile:
516
517        $(MAKE) $(shell dpkg-buildflags --export=cmdline)
518
519        ./configure $(shell dpkg-buildflags --export=cmdline)
520
521       To set build flags in a shell script or shell fragment, eval can be
522       used to interpret the output and to export the flags in the
523       environment:
524
525        eval "$(dpkg-buildflags --export=sh)" && make
526
527       or to set the positional parameters to pass to a command:
528
529        eval "set -- $(dpkg-buildflags --export=cmdline)"
530        for dir in a b c; do (cd $dir && ./configure "$@" && make); done
531
532   Usage in debian/rules
533       You should call dpkg-buildflags or include buildflags.mk from the
534       debian/rules file to obtain the needed build flags to pass to the build
535       system.  Note that older versions of dpkg-buildpackage (before dpkg
536       1.16.1) exported these flags automatically. However, you should not
537       rely on this, since this breaks manual invocation of debian/rules.
538
539       For packages with autoconf-like build systems, you can pass the
540       relevant options to configure or make(1) directly, as shown above.
541
542       For other build systems, or when you need more fine-grained control
543       about which flags are passed where, you can use --get. Or you can
544       include buildflags.mk instead, which takes care of calling dpkg-
545       buildflags and storing the build flags in make variables.
546
547       If you want to export all buildflags into the environment (where they
548       can be picked up by your build system):
549
550        DPKG_EXPORT_BUILDFLAGS = 1
551        include /usr/share/dpkg/buildflags.mk
552
553       For some extra control over what is exported, you can manually export
554       the variables (as none are exported by default):
555
556        include /usr/share/dpkg/buildflags.mk
557        export CPPFLAGS CFLAGS LDFLAGS
558
559       And you can of course pass the flags to commands manually:
560
561        include /usr/share/dpkg/buildflags.mk
562        build-arch:
563               $(CC) -o hello hello.c $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
564
565
566
5671.20.9                            2021-04-13                dpkg-buildflags(1)
Impressum