I’ve told the issue of cc-wrapper adding -O2 due to fortifying silently has been brought up before, with the result of “we can’t think of a better way”.
To recap, even if I build a package in “debug mode” (i.e. CMake’s CMAKE_BUILD_TYPE=Debug, or other methods inserting -g -O0 in the command line), unless I set hardeningDisable = [ "fortify" ];, all the code will be silently built with -O2.
This makes debugging harder.
I’m not proposing to not fortify by default. Instead, I’d propose to change that “silently” part so that someone looking at the logs can at least see why they got optimized binaries.
What do you think of this idea:
Make cc-wrapper emit (what looks like) a compiler warning whenever it adds the fortification flags to a command line that both
- Contains
-g.*– Since the main hindrance that I’m aware of is to debugging, no point in warning in the absence of debug symbols - Contains
-O0or-Ogor does not contain any-O.*.
I know that command line option parsing in the wrapper script is fragile. The nice thing about a warning is that best effort is pretty good as long as we don’t otherwise change behavior.