diff options
Diffstat (limited to 'dns/dnsmasq-devel/Makefile')
| -rw-r--r-- | dns/dnsmasq-devel/Makefile | 41 |
1 files changed, 36 insertions, 5 deletions
diff --git a/dns/dnsmasq-devel/Makefile b/dns/dnsmasq-devel/Makefile index 5149a1289c7e..2d71c213b862 100644 --- a/dns/dnsmasq-devel/Makefile +++ b/dns/dnsmasq-devel/Makefile @@ -1,7 +1,7 @@ PORTNAME= dnsmasq -DISTVERSION= 2.92test16 # remember to bump PORTEPOCH when going from test to rc! +DISTVERSION= 2.92test21 # remember to bump PORTEPOCH when going from test to rc! # Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps: -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 6 CATEGORIES= dns #MASTER_SITES= LOCAL/mandree/ \ @@ -18,7 +18,7 @@ LICENSE= GPLv2 DEPRECATED= Short-lived test branch, to be removed after v2.92 release -USES= cpe shebangfix tar:xz +USES= compiler cpe shebangfix tar:xz CPE_VENDOR= thekelleys SHEBANG_FILES= contrib/dnslist/dnslist.pl \ @@ -30,8 +30,28 @@ MAKE_ARGS= CC="${CC}" \ LIBS="${LDFLAGS}" \ PREFIX="${PREFIX}" \ RPM_OPT_FLAGS="${CPPFLAGS}" -CFLAGS+= -Wall -Wno-unused-function -Wno-unused-parameter \ - -Wno-unused-value -Wno-unused-variable +CFLAGS+= -Wall +# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html +# Note there are ${ARCH}-dependent options below after .include <bsd.port.pre.mk> +# Note that these are enforced for now (2025-09-16), and we can't subject them to PIE/FORTIFY/SSP_UNSAFE or WITHOUT_ options for now. +CFLAGS+= -Wall -Wformat -Wformat=2 \ + -Werror=format-security \ + -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3 \ + -fstrict-flex-arrays=3 \ + -fstack-clash-protection -fstack-protector-strong \ + -fno-delete-null-pointer-checks -fno-strict-overflow \ + -fno-strict-aliasing -ftrivial-auto-var-init=zero +LDFLAGS+= -Wl,-z,nodlopen -Wl,-z,noexecstack \ + -Wl,-z,relro -Wl,-z,now \ + -Wl,--as-needed -Wl,--no-copy-dt-needed-entries +CFLAGS+= -fPIE +LDFLAGS+= -pie +# error on obsolete C constructs +CFLAGS+= -Werror=implicit -Werror=incompatible-pointer-types \ + -Werror=int-conversion +# tune down harmless warnings due to coding style +CFLAGS+= -Wno-unused-function -Wno-unused-parameter \ + -Wno-unused-value -Wno-unused-variable -Wno-format-nonliteral CPPFLAGS+= -I${LOCALBASE}/include CONFLICTS_INSTALL= dnsmasq-2* @@ -102,6 +122,17 @@ USE_RC_SUBR= dnsmasq .include <bsd.port.pre.mk> +# https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html +.if ${ARCH} == "amd64" +CFLAGS+= -fcf-protection=full +.endif +.if ${ARCH} == "aarch64" +CFLAGS+= -mbranch-protection=standard +.endif +.if ${CHOSEN_COMPILER_TYPE} == "gcc" +CFLAGS+= -Wtrampolines +.endif + LDFLAGS+= -L${LOCALBASE}/lib ${_intllibs} ${ICONV_LIB} post-patch: |