Merge pull request #129328 from nh2/manual-fix-hardening-flags-sections

manual: hardening: Fix disabled flags prose being in previous section
author: Niklas Hambüchen <mail@nh2.me> 2021-07-05 23:11:22 +0200
committer: GitHub <noreply@github.com> 2021-07-05 23:11:22 +0200
commit: 3ac484ef83be5fb1e6bd171aeffb432cc06756d6 (patch)
tree: 79980e28b7c64cc4371976adc8739320f46bc90c /pkgs/stdenv
parent: e3165c4c213e7fbc9420ce01e016bac81eb37bcb (diff)
parent: 7cfaba911d8f82997c3120c8648314c23a77ed4c (diff)
download: nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar
nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.gz
nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.bz2
nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.lz
nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.xz
nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.zst
nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.zip
1 files changed, 3 insertions, 1 deletions
diff --git a/pkgs/stdenv/generic/make-derivation.nix b/pkgs/stdenv/generic/make-derivation.nix
index 4536024c5118..d6704d59111a 100644
--- a/pkgs/stdenv/generic/make-derivation.nix
+++ b/pkgs/stdenv/generic/make-derivation.nix
@@ -110,7 +110,9 @@ in rec {
                                       ++ depsTargetTarget ++ depsTargetTargetPropagated) == 0;
       dontAddHostSuffix = attrs ? outputHash && !noNonNativeDeps || !stdenv.hasCC;
       supportedHardeningFlags = [ "fortify" "stackprotector" "pie" "pic" "strictoverflow" "format" "relro" "bindnow" ];
-                              # Musl-based platforms will keep "pie", other platforms will not.
+      # Musl-based platforms will keep "pie", other platforms will not.
+      # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
+      # in the nixpkgs manual to inform users about the defaults.
       defaultHardeningFlags = if stdenv.hostPlatform.isMusl &&
                                 # Except when:
                                 #    - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
author	Niklas Hambüchen <mail@nh2.me>	2021-07-05 23:11:22 +0200
committer	GitHub <noreply@github.com>	2021-07-05 23:11:22 +0200
commit	3ac484ef83be5fb1e6bd171aeffb432cc06756d6 (patch)
tree	79980e28b7c64cc4371976adc8739320f46bc90c /pkgs/stdenv
parent	e3165c4c213e7fbc9420ce01e016bac81eb37bcb (diff)
parent	7cfaba911d8f82997c3120c8648314c23a77ed4c (diff)
download	nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.gz nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.bz2 nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.lz nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.xz nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.tar.zst nixlib-3ac484ef83be5fb1e6bd171aeffb432cc06756d6.zip