* debian/rules: Do not hard-code CFLAGS and LDFLAGS. Build with all

hardening flags set. Closes: #657010

debian/changelog

@@ -92,12 +92,14 @@ shadow (1:4.1.5-1) unstable; urgency=low
     with gcov to avoid coverage false negatives. This does not impact the
     debian binary package, only the test package.
   * debian/control: Add Build-Depends on libsemanage1-dev [linux-any]
+  * debian/rules: Do not hard-code CFLAGS and LDFLAGS. Build with all
+    hardening flags set. Closes: #657010
 
   [ Christian Perrier ]
   * Use "linux-any" instead of a negated list of architectures in
     Build-Depends. Closes: #634465
 
- -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>  Sat, 19 Nov 2011 16:57:55 +0100
+ -- Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>  Tue, 24 Jan 2012 20:06:43 +0100
 
 shadow (1:4.1.4.2+svn3283-3) unstable; urgency=high
 

debian/rules

@@ -8,6 +8,16 @@ ifeq ($(DEB_HOST_ARCH_OS),hurd)
 override DEB_ARCH_PACKAGES=passwd
 endif
 
+# To be set before loading any CDBS files (#651964)
+#CDBS_FIX_COMPILE_FLAGS = 1
+# Enable PIE, BINDNOW, and possible future flags.
+#export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+# Unfortunately, this is not working (#651966), set flags manually
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk
+
 include /usr/share/cdbs/1/rules/debhelper.mk
 # Specify where dh_install will find the files that it needs to move:
 DEB_DH_INSTALL_SOURCEDIR=debian/tmp
@@ -32,14 +42,6 @@ endif
 # Automatically controls patching at build time:
 include /usr/share/cdbs/1/rules/patchsys-quilt.mk
 
-CFLAGS = -g -W -Wall
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-  CFLAGS += -O0
-else
-  CFLAGS += -O2
-endif
-export CFLAGS
-
 # Add extras to the install process:
 binary-install/login::
 	dh_installpam -p login