1dpkg-buildflags(1) dpkg suite dpkg-buildflags(1)
2
6 dpkg-buildflags - returns build flags to use during package build
7
9 dpkg-buildflags [option...] [command]
10
12 dpkg-buildflags is a tool to retrieve compilation flags to use during
13 build of Debian packages.
14 The default flags are defined by the vendor but they can be
16 extended/overridden in several ways:
17 1. system-wide with /etc/dpkg/buildflags.conf;
19 2. for the current user with $XDG_CONFIG_HOME/dpkg/buildflags.conf
21 where $XDG_CONFIG_HOME defaults to $HOME/.config;
22 3. temporarily by the user with environment variables (see section
24 ENVIRONMENT);
25 4. dynamically by the package maintainer with environment variables
27 set via debian/rules (see section ENVIRONMENT).
28 The configuration files can contain four types of directives:
30 SET flag value
32 Override the flag named flag to have the value value.
33 STRIP flag value
35 Strip from the flag named flag all the build flags listed in value.
36 APPEND flag value
38 Extend the flag named flag by appending the options given in value.
39 A space is prepended to the appended value if the flag's current
40 value is non-empty.
41 PREPEND flag value
43 Extend the flag named flag by prepending the options given in
44 value. A space is appended to the prepended value if the flag's
45 current value is non-empty.
46 The configuration files can contain comments on lines starting with a
48 hash (#). Empty lines are also ignored.
49
51 --dump
52 Print to standard output all compilation flags and their values. It
53 prints one flag per line separated from its value by an equal sign
54 (“flag=value”). This is the default action.
55 --list
57 Print the list of flags supported by the current vendor (one per
58 line). See the SUPPORTED FLAGS section for more information about
59 them.
60 --status
62 Display any information that can be useful to explain the behaviour
63 of dpkg-buildflags (since dpkg 1.16.5): relevant environment
64 variables, current vendor, state of all feature flags. Also print
65 the resulting compiler flags with their origin.
66 This is intended to be run from debian/rules, so that the build log
68 keeps a clear trace of the build flags used. This can be useful to
69 diagnose problems related to them.
70 --export=format
72 Print to standard output commands that can be used to export all
73 the compilation flags for some particular tool. If the format value
74 is not given, sh is assumed. Only compilation flags starting with
75 an upper case character are included, others are assumed to not be
76 suitable for the environment. Supported formats:
77 sh Shell commands to set and export all the compilation flags in
79 the environment. The flag values are quoted so the output is
80 ready for evaluation by a shell.
81 cmdline
83 Arguments to pass to a build program's command line to use all
84 the compilation flags (since dpkg 1.17.0). The flag values are
85 quoted in shell syntax.
86 configure
88 This is a legacy alias for cmdline.
89 make
91 Make directives to set and export all the compilation flags in
92 the environment. Output can be written to a Makefile fragment
93 and evaluated using an include directive.
94 --get flag
96 Print the value of the flag on standard output. Exits with 0 if the
97 flag is known otherwise exits with 1.
98 --origin flag
100 Print the origin of the value that is returned by --get. Exits with
101 0 if the flag is known otherwise exits with 1. The origin can be
102 one of the following values:
103 vendor
105 the original flag set by the vendor is returned;
106 system
108 the flag is set/modified by a system-wide configuration;
109 user
111 the flag is set/modified by a user-specific configuration;
112 env the flag is set/modified by an environment-specific
114 configuration.
115 --query
117 Print any information that can be useful to explain the behaviour
118 of the program: current vendor, relevant environment variables,
119 feature areas, state of all feature flags, whether a feature is
120 handled as a builtin default by the compiler (since dpkg 1.21.14),
121 and the compiler flags with their origin (since dpkg 1.19.0).
122 For example:
124 Vendor: Debian
126 Environment:
127 DEB_CFLAGS_SET=-O0 -Wall
128 Area: qa
130 Features:
131 bug=no
132 canary=no
133 Builtins:
134 Area: hardening
136 Features:
137 pie=no
138 Builtins:
139 pie=yes
140 Area: reproducible
142 Features:
143 timeless=no
144 Builtins:
145 Flag: CFLAGS
147 Value: -O0 -Wall
148 Origin: env
149 Flag: CPPFLAGS
151 Value: -D_FORTIFY_SOURCE=2
152 Origin: vendor
153 --query-features area
155 Print the features enabled for a given area (since dpkg 1.16.2).
156 If the feature is handled (even if only on some architectures) as a
157 builtin default by the compiler, then a Builtin field is printed
158 (since dpkg 1.21.14). The only currently recognized areas on
159 Debian and derivatives are future, qa, reproducible, sanitize and
160 hardening, see the FEATURE AREAS section for more details. Exits
161 with 0 if the area is known otherwise exits with 1.
162 The output is in RFC822 format, with one section per feature. For
164 example:
165 Feature: pie
167 Enabled: yes
168 Builtin: yes
169 Feature: stackprotector
171 Enabled: yes
172 --help
174 Show the usage message and exit.
175 --version
177 Show the version and exit.
178
180 ASFLAGS
181 Options for the assembler. Default value: empty. Since dpkg 1.21.0.
182 CFLAGS
184 Options for the C compiler. The default value set by the vendor
185 includes -g and the default optimization level (-O2 usually, or -O0
186 if the DEB_BUILD_OPTIONS environment variable defines noopt).
187 CPPFLAGS
189 Options for the C preprocessor. Default value: empty.
190 CXXFLAGS
192 Options for the C++ compiler. Same as CFLAGS.
193 OBJCFLAGS
195 Options for the Objective C compiler. Same as CFLAGS.
196 OBJCXXFLAGS
198 Options for the Objective C++ compiler. Same as CXXFLAGS.
199 GCJFLAGS
201 Options for the GNU Java compiler (gcj). A subset of CFLAGS.
202 DFLAGS
204 Options for the D compiler (ldc or gdc). Since dpkg 1.20.6.
205 FFLAGS
207 Options for the Fortran 77 compiler. A subset of CFLAGS.
208 FCFLAGS
210 Options for the Fortran 9x compiler. Same as FFLAGS.
211 LDFLAGS
213 Options passed to the compiler when linking executables or shared
214 objects (if the linker is called directly, then -Wl and , have to
215 be stripped from these options). Default value: empty.
216 New flags might be added in the future if the need arises (for example
218 to support other languages).
219
221 Each area feature can be enabled and disabled in the DEB_BUILD_OPTIONS
222 and DEB_BUILD_MAINT_OPTIONS environment variable's area value with the
223 ‘+’ and ‘-’ modifier. For example, to enable the hardening “pie”
224 feature and disable the “fortify” feature you can do this in
225 debian/rules:
226 export DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify
228 The special feature all (valid in any area) can be used to enable or
230 disable all area features at the same time. Thus disabling everything
231 in the hardening area and enabling only “format” and “fortify” can be
232 achieved with:
233 export DEB_BUILD_MAINT_OPTIONS=hardening=-all,+format,+fortify
235 future
237 Several compile-time options (detailed below) can be used to enable
238 features that should be enabled by default, but cannot due to backwards
239 compatibility reasons.
240 lfs This setting (disabled by default) enables Large File Support on
242 32-bit architectures where their ABI does not include LFS by
243 default, by adding -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 to
244 CPPFLAGS.
245 qa
247 Several compile-time options (detailed below) can be used to help
248 detect problems in the source code or build system.
249 bug This setting (disabled by default) adds any warning option that
251 reliably detects problematic source code. The warnings are fatal.
252 The only currently supported flags are CFLAGS and CXXFLAGS with
253 flags set to -Werror=array-bounds, -Werror=clobbered,
254 -Werror=implicit-function-declaration and
255 -Werror=volatile-register-var.
256 canary
258 This setting (disabled by default) adds dummy canary options to the
259 build flags, so that the build logs can be checked for how the
260 build flags propagate and to allow finding any omission of normal
261 build flag settings. The only currently supported flags are
262 CPPFLAGS, CFLAGS, OBJCFLAGS, CXXFLAGS and OBJCXXFLAGS with flags
263 set to -D__DEB_CANARY_flag_random-id__, and LDFLAGS set to
264 -Wl,-z,deb-canary-random-id.
265 optimize
267 Several compile-time options (detailed below) can be used to help
268 optimize a resulting binary (since dpkg 1.21.0). Note: enabling all
269 these options can result in unreproducible binary artifacts.
270 lto This setting (since dpkg 1.21.0; disabled by default) enables Link
272 Time Optimization by adding -flto=auto -ffat-lto-objects to CFLAGS,
273 CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS, FCFLAGS and
274 LDFLAGS.
275 sanitize
277 Several compile-time options (detailed below) can be used to help
278 sanitize a resulting binary against memory corruptions, memory leaks,
279 use after free, threading data races and undefined behavior bugs.
280 Note: these options should not be used for production builds as they
281 can reduce reliability for conformant code, reduce security or even
282 functionality.
283 address
285 This setting (disabled by default) adds -fsanitize=address to
286 LDFLAGS and -fsanitize=address -fno-omit-frame-pointer to CFLAGS
287 and CXXFLAGS.
288 thread
290 This setting (disabled by default) adds -fsanitize=thread to
291 CFLAGS, CXXFLAGS and LDFLAGS.
292 leak
294 This setting (disabled by default) adds -fsanitize=leak to LDFLAGS.
295 It gets automatically disabled if either the address or the thread
296 features are enabled, as they imply it.
297 undefined
299 This setting (disabled by default) adds -fsanitize=undefined to
300 CFLAGS, CXXFLAGS and LDFLAGS.
301 hardening
303 Several compile-time options (detailed below) can be used to help
304 harden a resulting binary against memory corruption attacks, or provide
305 additional warning messages during compilation. Except as noted below,
306 these are enabled by default for architectures that support them.
307 format
309 This setting (enabled by default) adds -Wformat
310 -Werror=format-security to CFLAGS, CXXFLAGS, OBJCFLAGS and
311 OBJCXXFLAGS. This will warn about improper format string uses, and
312 will fail when format functions are used in a way that represent
313 possible security problems. At present, this warns about calls to
314 printf and scanf functions where the format string is not a string
315 literal and there are no format arguments, as in printf(foo);
316 instead of printf("%s", foo); This may be a security hole if the
317 format string came from untrusted input and contains ‘%n’.
318 fortify
320 This setting (enabled by default) adds -D_FORTIFY_SOURCE=2 to
321 CPPFLAGS. During code generation the compiler knows a great deal of
322 information about buffer sizes (where possible), and attempts to
323 replace insecure unlimited length buffer function calls with
324 length-limited ones. This is especially useful for old, crufty
325 code. Additionally, format strings in writable memory that contain
326 ‘%n’ are blocked. If an application depends on such a format
327 string, it will need to be worked around.
328 Note that for this option to have any effect, the source must also
330 be compiled with -O1 or higher. If the environment variable
331 DEB_BUILD_OPTIONS contains noopt, then fortify support will be
332 disabled, due to new warnings being issued by glibc 2.16 and later.
333 stackprotector
335 This setting (enabled by default if stackprotectorstrong is not in
336 use) adds -fstack-protector --param=ssp-buffer-size=4 to CFLAGS,
337 CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS.
338 This adds safety checks against stack overwrites. This renders many
339 potential code injection attacks into aborting situations. In the
340 best case this turns code injection vulnerabilities into denial of
341 service or into non-issues (depending on the application).
342 This feature requires linking against glibc (or another provider of
344 __stack_chk_fail), so needs to be disabled when building with
345 -nostdlib or -ffreestanding or similar.
346 stackprotectorstrong
348 This setting (enabled by default) adds -fstack-protector-strong to
349 CFLAGS, CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and
350 FCFLAGS. This is a stronger variant of stackprotector, but without
351 significant performance penalties.
352 Disabling stackprotector will also disable this setting.
354 This feature has the same requirements as stackprotector, and in
356 addition also requires gcc 4.9 and later.
357 relro
359 This setting (enabled by default) adds -Wl,-z,relro to LDFLAGS.
360 During program load, several ELF memory sections need to be written
361 to by the linker. This flags the loader to turn these sections
362 read-only before turning over control to the program. Most notably
363 this prevents GOT overwrite attacks. If this option is disabled,
364 bindnow will become disabled as well.
365 bindnow
367 This setting (disabled by default) adds -Wl,-z,now to LDFLAGS.
368 During program load, all dynamic symbols are resolved, allowing for
369 the entire PLT to be marked read-only (due to relro above). The
370 option cannot become enabled if relro is not enabled.
371 pie This setting (with no global default since dpkg 1.18.23, as it is
373 enabled by default now by gcc on the amd64, arm64, armel, armhf,
374 hurd-i386, i386, kfreebsd-amd64, kfreebsd-i386, mips, mipsel,
375 mips64el, powerpc, ppc64, ppc64el, riscv64, s390x, sparc and
376 sparc64 Debian architectures) adds the required options to enable
377 or disable PIE via gcc specs files, if needed, depending on whether
378 gcc injects on that architecture the flags by itself or not. When
379 the setting is enabled and gcc injects the flags, it adds nothing.
380 When the setting is enabled and gcc does not inject the flags, it
381 adds -fPIE (via /usr/share/dpkg/pie-compiler.specs) to CFLAGS,
382 CXXFLAGS, OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS, and
383 -fPIE -pie (via /usr/share/dpkg/pie-link.specs) to LDFLAGS. When
384 the setting is disabled and gcc injects the flags, it adds -fno-PIE
385 (via /usr/share/dpkg/no-pie-compile.specs) to CFLAGS, CXXFLAGS,
386 OBJCFLAGS, OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS, and -fno-PIE
387 -no-pie (via /usr/share/dpkg/no-pie-link.specs) to LDFLAGS.
388 Position Independent Executable (PIE) is needed to take advantage
390 of Address Space Layout Randomization (ASLR), supported by some
391 kernel versions. While ASLR can already be enforced for data areas
392 in the stack and heap (brk and mmap), the code areas must be
393 compiled as position-independent. Shared libraries already do this
394 (-fPIC), so they gain ASLR automatically, but binary .text regions
395 need to be built as PIE to gain ASLR. When this happens, ROP
396 (Return Oriented Programming) attacks are much harder since there
397 are no static locations to bounce off of during a memory corruption
398 attack.
399 PIE is not compatible with -fPIC, so in general care must be taken
401 when building shared objects. But because the PIE flags emitted get
402 injected via gcc specs files, it should always be safe to
403 unconditionally set them regardless of the object type being
404 compiled or linked.
405 Static libraries can be used by programs or other shared libraries.
407 Depending on the flags used to compile all the objects within a
408 static library, these libraries will be usable by different sets of
409 objects:
410 none
412 Cannot be linked into a PIE program, nor a shared library.
413 -fPIE
415 Can be linked into any program, but not a shared library
416 (recommended).
417 -fPIC
419 Can be linked into any program and shared library.
420 If there is a need to set these flags manually, bypassing the gcc
422 specs injection, there are several things to take into account.
423 Unconditionally and explicitly passing -fPIE, -fpie or -pie to a
424 build-system using libtool is safe as these flags will get stripped
425 when building shared libraries. Otherwise on projects that build
426 both programs and shared libraries you might need to make sure that
427 when building the shared libraries -fPIC is always passed last (so
428 that it overrides any previous -PIE) to compilation flags such as
429 CFLAGS, and -shared is passed last (so that it overrides any
430 previous -pie) to linking flags such as LDFLAGS. Note: This should
431 not be needed with the default gcc specs machinery.
432 Additionally, since PIE is implemented via a general register, some
434 register starved architectures (but not including i386 anymore
435 since optimizations implemented in gcc >= 5) can see performance
436 losses of up to 15% in very text-segment-heavy application
437 workloads; most workloads see less than 1%. Architectures with more
438 general registers (e.g. amd64) do not see as high a worst-case
439 penalty.
440 reproducible
442 The compile-time options detailed below can be used to help improve
443 build reproducibility or provide additional warning messages during
444 compilation. Except as noted below, these are enabled by default for
445 architectures that support them.
446 timeless
448 This setting (enabled by default) adds -Wdate-time to CPPFLAGS.
449 This will cause warnings when the __TIME__, __DATE__ and
450 __TIMESTAMP__ macros are used.
451 fixfilepath
453 This setting (enabled by default) adds
454 -ffile-prefix-map=BUILDPATH=. to CFLAGS, CXXFLAGS, OBJCFLAGS,
455 OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS where BUILDPATH is set to
456 the top-level directory of the package being built. This has the
457 effect of removing the build path from any generated file.
458 If both fixdebugpath and fixfilepath are set, this option takes
460 precedence, because it is a superset of the former.
461 fixdebugpath
463 This setting (enabled by default) adds
464 -fdebug-prefix-map=BUILDPATH=. to CFLAGS, CXXFLAGS, OBJCFLAGS,
465 OBJCXXFLAGS, GCJFLAGS, FFLAGS and FCFLAGS where BUILDPATH is set to
466 the top-level directory of the package being built. This has the
467 effect of removing the build path from any generated debug symbols.
468
470 There are 2 sets of environment variables doing the same operations,
471 the first one (DEB_flag_op) should never be used within debian/rules.
472 It's meant for any user that wants to rebuild the source package with
473 different build flags. The second set (DEB_flag_MAINT_op) should only
474 be used in debian/rules by package maintainers to change the resulting
475 build flags.
476 DEB_flag_SET
478 DEB_flag_MAINT_SET
479 This variable can be used to force the value returned for the given
480 flag.
481 DEB_flag_STRIP
483 DEB_flag_MAINT_STRIP
484 This variable can be used to provide a space separated list of
485 options that will be stripped from the set of flags returned for
486 the given flag.
487 DEB_flag_APPEND
489 DEB_flag_MAINT_APPEND
490 This variable can be used to append supplementary options to the
491 value returned for the given flag.
492 DEB_flag_PREPEND
494 DEB_flag_MAINT_PREPEND
495 This variable can be used to prepend supplementary options to the
496 value returned for the given flag.
497 DEB_BUILD_OPTIONS
499 DEB_BUILD_MAINT_OPTIONS
500 These variables can be used by a user or maintainer to
501 disable/enable various area features that affect build flags. The
502 DEB_BUILD_MAINT_OPTIONS variable overrides any setting in the
503 DEB_BUILD_OPTIONS feature areas. See the FEATURE AREAS section for
504 details.
505 DEB_VENDOR
507 This setting defines the current vendor. If not set, it will
508 discover the current vendor by reading /etc/dpkg/origins/default.
509 DEB_BUILD_PATH
511 This variable sets the build path (since dpkg 1.18.8) to use in
512 features such as fixdebugpath so that they can be controlled by the
513 caller. This variable is currently Debian and derivatives-
514 specific.
515 DPKG_COLORS
517 Sets the color mode (since dpkg 1.18.5). The currently accepted
518 values are: auto (default), always and never.
519 DPKG_NLS
521 If set, it will be used to decide whether to activate Native
522 Language Support, also known as internationalization (or i18n)
523 support (since dpkg 1.19.0). The accepted values are: 0 and 1
524 (default).
525
527 Configuration files
528 /etc/dpkg/buildflags.conf
529 System wide configuration file.
530 $XDG_CONFIG_HOME/dpkg/buildflags.conf or
532 $HOME/.config/dpkg/buildflags.conf
533 User configuration file.
534 Packaging support
536 /usr/share/dpkg/buildflags.mk
537 Makefile snippet that will load (and optionally export) all flags
538 supported by dpkg-buildflags into variables (since dpkg 1.16.1).
539
541 To pass build flags to a build command in a Makefile:
542 $(MAKE) $(shell dpkg-buildflags --export=cmdline)
544 ./configure $(shell dpkg-buildflags --export=cmdline)
546 To set build flags in a shell script or shell fragment, eval can be
548 used to interpret the output and to export the flags in the
549 environment:
550 eval "$(dpkg-buildflags --export=sh)" && make
552 or to set the positional parameters to pass to a command:
554 eval "set -- $(dpkg-buildflags --export=cmdline)"
556 for dir in a b c; do (cd $dir && ./configure "$@" && make); done
557 Usage in debian/rules
559 You should call dpkg-buildflags or include buildflags.mk from the
560 debian/rules file to obtain the needed build flags to pass to the build
561 system. Note that older versions of dpkg-buildpackage (before dpkg
562 1.16.1) exported these flags automatically. However, you should not
563 rely on this, since this breaks manual invocation of debian/rules.
564 For packages with autoconf-like build systems, you can pass the
566 relevant options to configure or make(1) directly, as shown above.
567 For other build systems, or when you need more fine-grained control
569 about which flags are passed where, you can use --get. Or you can
570 include buildflags.mk instead, which takes care of calling dpkg-
571 buildflags and storing the build flags in make variables.
572 If you want to export all buildflags into the environment (where they
574 can be picked up by your build system):
575 DPKG_EXPORT_BUILDFLAGS = 1
577 include /usr/share/dpkg/buildflags.mk
578 For some extra control over what is exported, you can manually export
580 the variables (as none are exported by default):
581 include /usr/share/dpkg/buildflags.mk
583 export CPPFLAGS CFLAGS LDFLAGS
584 And you can of course pass the flags to commands manually:
586 include /usr/share/dpkg/buildflags.mk
588 build-arch:
589 $(CC) -o hello hello.c $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
5901.21.21 2023-02-25 dpkg-buildflags(1)