debian/rules: Set DEB_BUILD_MAINT_OPTIONS in shell

This makes these hardening options actually effective.

Closes: #939560 (1/3)
Reported-by: Guillem Jover <guillem@debian.org>
Signed-off-by: Ian Jackson <ian.jackson@citrix.com>

diff --git a/debian/rules b/debian/rules
index b96017a7bae9be22b1b4521a7433d5ac1d959389..fdf68805b477bceb291b320d0db59fe7f683ce7a 100755 (executable)
--- a/debian/rules
+++ b/debian/rules
@@ -16,7 +16,10 @@ SHELL    := bash -e
 # of them are sane to use in the hypervisor context, rather than
 # simply in userland binaries.
 #
-export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+# Inexplicably, if you tell make `export V=value' and `$(shell ...)'
+# it does not pass V to the shell.  WTF.  So we set a variable
+# dbmo which we include in the relevant $(shell ...) invocations.
+dbmo= DEB_BUILD_MAINT_OPTIONS=hardening=+all
 
 # Architecture handling.
 #
@@ -127,9 +130,9 @@ export WGET=/bin/false GIT=/bin/false
 
 t=$(PWD)/debian/tmp
 
-dpkg_CFLAGS   := $(shell dpkg-buildflags --get CFLAGS)
-dpkg_CPPFLAGS := $(shell dpkg-buildflags --get CPPFLAGS)
-dpkg_LDFLAGS  := $(shell dpkg-buildflags --get LDFLAGS)
+dpkg_CFLAGS   := $(shell $(dbmo) dpkg-buildflags --get CFLAGS)
+dpkg_CPPFLAGS := $(shell $(dbmo) dpkg-buildflags --get CPPFLAGS)
+dpkg_LDFLAGS  := $(shell $(dbmo) dpkg-buildflags --get LDFLAGS)
 
 make_args_xen= $(make_args_common) \
        XEN_COMPILE_ARCH=$(xen_arch_$(DEB_BUILD_ARCH)) \