1dpkg-buildflags(1) dpkg suite dpkg-buildflags(1)
2
6 dpkg-buildflags - returns build flags to use during package build
7
9 dpkg-buildflags [option...] [command]
10
12 dpkg-buildflags is a tool to retrieve compilation flags to use during
13 build of Debian packages.
14 The default flags are defined by the vendor but they can be
16 extended/overridden in several ways:
17 1. system-wide with /etc/dpkg/buildflags.conf;
19 2. for the current user with $XDG_CONFIG_HOME/dpkg/buildflags.conf
21 where $XDG_CONFIG_HOME defaults to $HOME/.config;
22 3. temporarily by the user with environment variables (see section
24 ENVIRONMENT);
25 4. dynamically by the package maintainer with environment variables
27 set via debian/rules (see section ENVIRONMENT).
28 The configuration files can contain four types of directives:
30 SET flag value
32 Override the flag named flag to have the value value.
33 STRIP flag value
35 Strip from the flag named flag all the build flags listed in value.
36 APPEND flag value
38 Extend the flag named flag by appending the options given in value.
39 A space is prepended to the appended value if the flag's current
40 value is non-empty.
41 PREPEND flag value
43 Extend the flag named flag by prepending the options given in
44 value. A space is appended to the prepended value if the flag's
45 current value is non-empty.
46 The configuration files can contain comments on lines starting with a
48 hash (#). Empty lines are also ignored.
49
51 --dump
52 Print to standard output all compilation flags and their values. It
53 prints one flag per line separated from its value by an equal sign
54 (“flag=value”). This is the default action.
55 --list
57 Print the list of flags supported by the current vendor (one per
58 line). See the SUPPORTED FLAGS section for more information about
59 them.
60 --status
62 Display any information that can be useful to explain the behaviour
63 of dpkg-buildflags (since dpkg 1.16.5): relevant environment
64 variables, current vendor, state of all feature flags. Also print
65 the resulting compiler flags with their origin.
66 This is intended to be run from debian/rules, so that the build log
68 keeps a clear trace of the build flags used. This can be useful to
69 diagnose problems related to them.
70 --export=format
72 Print to standard output commands that can be used to export all
73 the compilation flags for some particular tool. If the format value
74 is not given, sh is assumed. Only compilation flags starting with
75 an upper case character are included, others are assumed to not be
76 suitable for the environment. Supported formats:
77 sh Shell commands to set and export all the compilation flags in
79 the environment. The flag values are quoted so the output is
80 ready for evaluation by a shell.
81 cmdline
83 Arguments to pass to a build program's command line to use all
84 the compilation flags (since dpkg 1.17.0). The flag values are
85 quoted in shell syntax.
86 configure
88 This is a legacy alias for cmdline.
89 make
91 Make directives to set and export all the compilation flags in
92 the environment. Output can be written to a Makefile fragment
93 and evaluated using an include directive.
94 --get flag
96 Print the value of the flag on standard output. Exits with 0 if the
97 flag is known otherwise exits with 1.
98 --origin flag
100 Print the origin of the value that is returned by --get. Exits with
101 0 if the flag is known otherwise exits with 1. The origin can be
102 one of the following values:
103 vendor
105 the original flag set by the vendor is returned;
106 system
108 the flag is set/modified by a system-wide configuration;
109 user
111 the flag is set/modified by a user-specific configuration;
112 env the flag is set/modified by an environment-specific
114 configuration.
115 --query
117 Print any information that can be useful to explain the behaviour
118 of the program: current vendor, relevant environment variables,
119 feature areas, state of all feature flags, and the compiler flags
120 with their origin (since dpkg 1.19.0).
121 For example:
123 Vendor: Debian
125 Environment:
126 DEB_CFLAGS_SET=-O0 -Wall
127 Area: qa
129 Features:
130 bug=no
131 canary=no
132 Area: reproducible
134 Features:
135 timeless=no
136 Flag: CFLAGS
138 Value: -O0 -Wall
139 Origin: env
140 Flag: CPPFLAGS
142 Value: -D_FORTIFY_SOURCE=2
143 Origin: vendor
144 --query-features area
146 Print the features enabled for a given area (since dpkg 1.16.2).
147 The only currently recognized areas on Debian and derivatives are
148 future, qa, reproducible, sanitize and hardening, see the FEATURE
149 AREAS section for more details. Exits with 0 if the area is known
150 otherwise exits with 1.
151 The output is in RFC822 format, with one section per feature. For
153 example:
154 Feature: pie
156 Enabled: yes
157 Feature: stackprotector
159 Enabled: yes
160 --help
162 Show the usage message and exit.
163 --version
165 Show the version and exit.
166
168 CFLAGS
169 Options for the C compiler. The default value set by the vendor
170 includes -g and the default optimization level (-O2 usually, or -O0
171 if the DEB_BUILD_OPTIONS environment variable defines noopt).
172 CPPFLAGS
174 Options for the C preprocessor. Default value: empty.
175 CXXFLAGS
177 Options for the C++ compiler. Same as CFLAGS.
178 OBJCFLAGS
180 Options for the Objective C compiler. Same as CFLAGS.
181 OBJCXXFLAGS
183 Options for the Objective C++ compiler. Same as CXXFLAGS.
184 GCJFLAGS
186 Options for the GNU Java compiler (gcj). A subset of CFLAGS.
187 DFLAGS
189 Options for the D compiler (ldc or gdc). Since dpkg 1.20.6.
190 FFLAGS
192 Options for the Fortran 77 compiler. A subset of CFLAGS.
193 FCFLAGS
195 Options for the Fortran 9x compiler. Same as FFLAGS.
196 LDFLAGS
198 Options passed to the compiler when linking executables or shared
199 objects (if the linker is called directly, then -Wl and , have to
200 be stripped from these options). Default value: empty.
201 New flags might be added in the future if the need arises (for example
203 to support other languages).
204
206 Each area feature can be enabled and disabled in the DEB_BUILD_OPTIONS
207 and DEB_BUILD_MAINT_OPTIONS environment variable's area value with the
208 ‘+’ and ‘-’ modifier. For example, to enable the hardening “pie”
209 feature and disable the “fortify” feature you can do this in
210 debian/rules:
211 export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify
213 The special feature all (valid in any area) can be used to enable or
215 disable all area features at the same time. Thus disabling everything
216 in the hardening area and enabling only “format” and “fortify” can be
217 achieved with:
218 export DEB_BUILD_MAINT_OPTIONS=hardening=-all,+format,+fortify
220 future
222 Several compile-time options (detailed below) can be used to enable
223 features that should be enabled by default, but cannot due to backwards
224 compatibility reasons.
225 lfs This setting (disabled by default) enables Large File Support on
227 32-bit architectures where their ABI does not include LFS by
228 default, by adding -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 to
229 CPPFLAGS.
230 qa
232 Several compile-time options (detailed below) can be used to help
233 detect problems in the source code or build system.
234 bug This setting (disabled by default) adds any warning option that
236 reliably detects problematic source code. The warnings are fatal.
237 The only currently supported flags are CFLAGS and CXXFLAGS with
238 flags set to -Werror=array-bounds, -Werror=clobbered,
239 -Werror=implicit-function-declaration and
240 -Werror=volatile-register-var.
241 canary
243 This setting (disabled by default) adds dummy canary options to the
244 build flags, so that the build logs can be checked for how the
245 build flags propagate and to allow finding any omission of normal
246 build flag settings. The only currently supported flags are
247 CPPFLAGS, CFLAGS, OBJCFLAGS, CXXFLAGS and OBJCXXFLAGS with flags
248 set to -D__DEB_CANARY_flag_random-id__, and LDFLAGS set to
249 -Wl,-z,deb-canary-random-id.
250 sanitize
252 Several compile-time options (detailed below) can be used to help
253 sanitize a resulting binary against memory corruptions, memory leaks,
254 use after free, threading data races and undefined behavior bugs.
255 Note: these options should not be used for production builds as they
256 can reduce reliability for conformant code, reduce security or even
257 functionality.
258 address
260 This setting (disabled by default) adds -fsanitize=address to
261 LDFLAGS and -fsanitize=address -fno-omit-frame-pointer to CFLAGS
262 and CXXFLAGS.
263 thread
265 This setting (disabled by default) adds -fsanitize=thread to
266 CFLAGS, CXXFLAGS and LDFLAGS.
267 leak
269 This setting (disabled by default) adds -fsanitize=leak to LDFLAGS.
270 It gets automatically disabled if either the address or the thread
271 features are enabled, as they imply it.
272 undefined
274 This setting (disabled by default) adds -fsanitize=undefined to
275 CFLAGS, CXXFLAGS and LDFLAGS.
276 hardening
278 Several compile-time options (detailed below) can be used to help
279 harden a resulting binary against memory corruption attacks, or provide
280 additional warning messages during compilation. Except as noted below,
281 these are enabled by default for architectures that support them.
282 format
284 This setting (enabled by default) adds -Wformat
285 -Werror=format-security to CFLAGS, CXXFLAGS, OBJCFLAGS and
286 OBJCXXFLAGS. This will warn about improper format string uses, and
287 will fail when format functions are used in a way that represent
288 possible security problems. At present, this warns about calls to
289 printf and scanf functions where the format string is not a string
290 literal and there are no format arguments, as in printf(foo);
291 instead of printf("%s", foo); This may be a security hole if the
292 format string came from untrusted input and contains ‘%n’.
293 fortify
295 This setting (enabled by default) adds -D_FORTIFY_SOURCE=2 to
296 CPPFLAGS. During code generation the compiler knows a great deal of
297 information about buffer sizes (where possible), and attempts to
298 replace insecure unlimited length buffer function calls with
299 length-limited ones. This is especially useful for old, crufty
300 code. Additionally, format strings in writable memory that contain
301 ‘%n’ are blocked. If an application depends on such a format
302 string, it will need to be worked around.
303 Note that for this option to have any effect, the source must also
305 be compiled with -O1 or higher. If the environment variable
306 DEB_BUILD_OPTIONS contains noopt, then fortify support will be
307 disabled, due to new warnings being issued by glibc 2.16 and later.
308 stackprotector
310 This setting (enabled by default if stackprotectorstrong is not in
311 use) adds -fstack-protector --param=ssp-buffer-size=4 to CFLAGS,
312 CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS.
313 This adds safety checks against stack overwrites. This renders many
314 potential code injection attacks into aborting situations. In the
315 best case this turns code injection vulnerabilities into denial of
316 service or into non-issues (depending on the application).
317 This feature requires linking against glibc (or another provider of
319 __stack_chk_fail), so needs to be disabled when building with
320 -nostdlib or -ffreestanding or similar.
321 stackprotectorstrong
323 This setting (enabled by default) adds -fstack-protector-strong to
324 CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and
325 FCFLAGS. This is a stronger variant of stackprotector, but without
326 significant performance penalties.
327 Disabling stackprotector will also disable this setting.
329 This feature has the same requirements as stackprotector, and in
331 addition also requires gcc 4.9 and later.
332 relro
334 This setting (enabled by default) adds -Wl,-z,relro to LDFLAGS.
335 During program load, several ELF memory sections need to be written
336 to by the linker. This flags the loader to turn these sections
337 read-only before turning over control to the program. Most notably
338 this prevents GOT overwrite attacks. If this option is disabled,
339 bindnow will become disabled as well.
340 bindnow
342 This setting (disabled by default) adds -Wl,-z,now to LDFLAGS.
343 During program load, all dynamic symbols are resolved, allowing for
344 the entire PLT to be marked read-only (due to relro above). The
345 option cannot become enabled if relro is not enabled.
346 pie This setting (with no global default since dpkg 1.18.23, as it is
348 enabled by default now by gcc on the amd64, arm64, armel, armhf,
349 hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mipsel,
350 mips64el, powerpc, ppc64, ppc64el, riscv64, s390x, sparc and
351 sparc64 Debian architectures) adds the required options to enable
352 or disable PIE via gcc specs files, if needed, depending on whether
353 gcc injects on that architecture the flags by itself or not. When
354 the setting is enabled and gcc injects the flags, it adds nothing.
355 When the setting is enabled and gcc does not inject the flags, it
356 adds -fPIE (via /usr/share/dpkg/pie-compiler.specs) to CFLAGS,
357 CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS, and
358 -fPIE -pie (via /usr/share/dpkg/pie-link.specs) to LDFLAGS. When
359 the setting is disabled and gcc injects the flags, it adds -fno-PIE
360 (via /usr/share/dpkg/no-pie-compile.specs) to CFLAGS, CXXFLAGS,
361 OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS, and -fno-PIE
362 -no-pie (via /usr/share/dpkg/no-pie-link.specs) to LDFLAGS.
363 Position Independent Executable are needed to take advantage of
365 Address Space Layout Randomization, supported by some kernel
366 versions. While ASLR can already be enforced for data areas in the
367 stack and heap (brk and mmap), the code areas must be compiled as
368 position-independent. Shared libraries already do this (-fPIC), so
369 they gain ASLR automatically, but binary .text regions need to be
370 build PIE to gain ASLR. When this happens, ROP (Return Oriented
371 Programming) attacks are much harder since there are no static
372 locations to bounce off of during a memory corruption attack.
373 PIE is not compatible with -fPIC, so in general care must be taken
375 when building shared objects. But because the PIE flags emitted get
376 injected via gcc specs files, it should always be safe to
377 unconditionally set them regardless of the object type being
378 compiled or linked.
379 Static libraries can be used by programs or other shared libraries.
381 Depending on the flags used to compile all the objects within a
382 static library, these libraries will be usable by different sets of
383 objects:
384 none
386 Cannot be linked into a PIE program, nor a shared library.
387 -fPIE
389 Can be linked into any program, but not a shared library
390 (recommended).
391 -fPIC
393 Can be linked into any program and shared library.
394 If there is a need to set these flags manually, bypassing the gcc
396 specs injection, there are several things to take into account.
397 Unconditionally and explicitly passing -fPIE, -fpie or -pie to a
398 build-system using libtool is safe as these flags will get stripped
399 when building shared libraries. Otherwise on projects that build
400 both programs and shared libraries you might need to make sure that
401 when building the shared libraries -fPIC is always passed last (so
402 that it overrides any previous -PIE) to compilation flags such as
403 CFLAGS, and -shared is passed last (so that it overrides any
404 previous -pie) to linking flags such as LDFLAGS. Note: This should
405 not be needed with the default gcc specs machinery.
406 Additionally, since PIE is implemented via a general register, some
408 register starved architectures (but not including i386 anymore
409 since optimizations implemented in gcc >= 5) can see performance
410 losses of up to 15% in very text-segment-heavy application
411 workloads; most workloads see less than 1%. Architectures with more
412 general registers (e.g. amd64) do not see as high a worst-case
413 penalty.
414 reproducible
416 The compile-time options detailed below can be used to help improve
417 build reproducibility or provide additional warning messages during
418 compilation. Except as noted below, these are enabled by default for
419 architectures that support them.
420 timeless
422 This setting (enabled by default) adds -Wdate-time to CPPFLAGS.
423 This will cause warnings when the __TIME__, __DATE__ and
424 __TIMESTAMP__ macros are used.
425 fixfilepath
427 This setting (enabled by default) adds
428 -ffile-prefix-map=BUILDPATH=. to CFLAGS, CXXFLAGS, OBJCFLAGS,
429 OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS where BUILDPATH is set to
430 the top-level directory of the package being built. This has the
431 effect of removing the build path from any generated file.
432 If both fixdebugpath and fixfilepath are set, this option takes
434 precedence, because it is a superset of the former.
435 fixdebugpath
437 This setting (enabled by default) adds
438 -fdebug-prefix-map=BUILDPATH=. to CFLAGS, CXXFLAGS, OBJCFLAGS,
439 OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS where BUILDPATH is set to
440 the top-level directory of the package being built. This has the
441 effect of removing the build path from any generated debug symbols.
442
444 There are 2 sets of environment variables doing the same operations,
445 the first one (DEB_flag_op) should never be used within debian/rules.
446 It's meant for any user that wants to rebuild the source package with
447 different build flags. The second set (DEB_flag_MAINT_op) should only
448 be used in debian/rules by package maintainers to change the resulting
449 build flags.
450 DEB_flag_SET
452 DEB_flag_MAINT_SET
453 This variable can be used to force the value returned for the given
454 flag.
455 DEB_flag_STRIP
457 DEB_flag_MAINT_STRIP
458 This variable can be used to provide a space separated list of
459 options that will be stripped from the set of flags returned for
460 the given flag.
461 DEB_flag_APPEND
463 DEB_flag_MAINT_APPEND
464 This variable can be used to append supplementary options to the
465 value returned for the given flag.
466 DEB_flag_PREPEND
468 DEB_flag_MAINT_PREPEND
469 This variable can be used to prepend supplementary options to the
470 value returned for the given flag.
471 DEB_BUILD_OPTIONS
473 DEB_BUILD_MAINT_OPTIONS
474 These variables can be used by a user or maintainer to
475 disable/enable various area features that affect build flags. The
476 DEB_BUILD_MAINT_OPTIONS variable overrides any setting in the
477 DEB_BUILD_OPTIONS feature areas. See the FEATURE AREAS section for
478 details.
479 DEB_VENDOR
481 This setting defines the current vendor. If not set, it will
482 discover the current vendor by reading /etc/dpkg/origins/default.
483 DEB_BUILD_PATH
485 This variable sets the build path (since dpkg 1.18.8) to use in
486 features such as fixdebugpath so that they can be controlled by the
487 caller. This variable is currently Debian and derivatives-
488 specific.
489 DPKG_COLORS
491 Sets the color mode (since dpkg 1.18.5). The currently accepted
492 values are: auto (default), always and never.
493 DPKG_NLS
495 If set, it will be used to decide whether to activate Native
496 Language Support, also known as internationalization (or i18n)
497 support (since dpkg 1.19.0). The accepted values are: 0 and 1
498 (default).
499
501 Configuration files
502 /etc/dpkg/buildflags.conf
503 System wide configuration file.
504 $XDG_CONFIG_HOME/dpkg/buildflags.conf or
506 $HOME/.config/dpkg/buildflags.conf
507 User configuration file.
508 Packaging support
510 /usr/share/dpkg/buildflags.mk
511 Makefile snippet that will load (and optionally export) all flags
512 supported by dpkg-buildflags into variables (since dpkg 1.16.1).
513
515 To pass build flags to a build command in a Makefile:
516 $(MAKE) $(shell dpkg-buildflags --export=cmdline)
518 ./configure $(shell dpkg-buildflags --export=cmdline)
520 To set build flags in a shell script or shell fragment, eval can be
522 used to interpret the output and to export the flags in the
523 environment:
524 eval "$(dpkg-buildflags --export=sh)" && make
526 or to set the positional parameters to pass to a command:
528 eval "set -- $(dpkg-buildflags --export=cmdline)"
530 for dir in a b c; do (cd $dir && ./configure "$@" && make); done
531 Usage in debian/rules
533 You should call dpkg-buildflags or include buildflags.mk from the
534 debian/rules file to obtain the needed build flags to pass to the build
535 system. Note that older versions of dpkg-buildpackage (before dpkg
536 1.16.1) exported these flags automatically. However, you should not
537 rely on this, since this breaks manual invocation of debian/rules.
538 For packages with autoconf-like build systems, you can pass the
540 relevant options to configure or make(1) directly, as shown above.
541 For other build systems, or when you need more fine-grained control
543 about which flags are passed where, you can use --get. Or you can
544 include buildflags.mk instead, which takes care of calling dpkg-
545 buildflags and storing the build flags in make variables.
546 If you want to export all buildflags into the environment (where they
548 can be picked up by your build system):
549 DPKG_EXPORT_BUILDFLAGS = 1
551 include /usr/share/dpkg/buildflags.mk
552 For some extra control over what is exported, you can manually export
554 the variables (as none are exported by default):
555 include /usr/share/dpkg/buildflags.mk
557 export CPPFLAGS CFLAGS LDFLAGS
558 And you can of course pass the flags to commands manually:
560 include /usr/share/dpkg/buildflags.mk
562 build-arch:
563 $(CC) -o hello hello.c $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
5641.20.9 2021-04-13 dpkg-buildflags(1)