debian: enable build hardening features

Debian's build hardening toolchain options produce binary artifacts
that are more resistant to compromise.  The most visible change for
notmuch today is likely to be the addition of the "bindnow" linker
flag, which contributes to making the "Global Offset Table" fully
read-only.

See https://wiki.debian.org/Hardening for more details.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

diff --git a/debian/rules b/debian/rules
index d056edb623944822730fcb7ca13ad40457e27daa..ebd1048170839dfc90aa75c789b1669af252bee2 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -2,6 +2,8 @@
 
 python3_all = py3versions -s | xargs -n1 | xargs -t -I {} env {}
 
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
 %:
        dh $@ --with python2,python3,elpa