Hi. subscribers to
#835146 "dpkg: please enable bindow hardening flag by default"
This mail chain arises from some QA work in src:its-playback-time
about the recommendation in the wiki to set
DEB_BUILD_MAINT_OPTIONS=hardening=+all
Andreas, thanks for the reply. I appreciate your points.
This one I think could do with some more followup:
Andreas Tille writes ("Re: Bug#969093: Patch: Newer upstream version of
its-playback-time"):
> Am Tue, May 05, 2026 at 10:45:04PM +0100 schrieb Ian Jackson:
> > 2. DEB_BUILD_MAINT_OPTIONS=hardening=+all
> >
> > You added this to d/rules.
> >
> > I could find no documentation in Debian Policy to support this change.
> > I found documentation of the behaviour in dpkg-buildflags. I think
> > you may be following the advice in
> > https://wiki.debian.org/HardeningWalkthrough
> > which talks says things like "Since Debian 7 ("wheezy").
> >
> > It is unclear to me why we would want -z now, and PIE executables.
> >
> > Are you sure this information is up to date? If we want to make a
> > change to the usual compiler flags, I doubt that making this change to
> > every package, piecemeal, is a sensible way to go about it. Policy
> > should be updated. We have transition arrangements to deal with build
> > breakages, or this could be done by dh in newer compat level, or
> > something.
>
> I absolutely agree that its a nuisance to add this manually.
> The thing is that for nearly all packages you would need
>
> blhc:
> allow_failure: true
Well, I dropped that change, so now the rules file is doing nothing
special, and the blhc pipeline job passes.
> in debian/salsa-ci.yml to pass Salsa CI. As a consequence of my
> decision to not use salsa-ci.yml and by considering passing all tests a
> sensible goal I added the hardeing options. I personally understood
> the Wiki page in a way that we want this and have not seen this
> questionable.
But, more fundamentally, I think this is the wrong way to look at the
question.
Wiki pages are far from authoritative and very easily get out of date,
especially if they are not monitored and maintained. In any case,
whowever put that on the wiki page may have been misguided.
And, I wouldn't blindly adopt suggestions from linters and QA tools.
They can have false positives, and/or make suggestions which are
inappropriate in context. (And sometimes I even disagree with a lint
in principle, although that doesn't seem to be the case here.)
My starting point is that our tooling should do the right thing by
default when used in the usual way. And that something ought
generally to be done a particular way, we should achieve that by
changing tooling defaults. The overrride options like
DEB_BUILD_MAINT_OPTIONS are there for situations where we need to
diverge from the usual behaviour.
That's certainly the philosophy in dh. And in this case it seems that
this text has remained unchanged since that text was added in February
2012, 14 years ago. I can find little rationale even then.
I did find this
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489771#154
where it seems the decision not to turn on pie (for example) was
apparently taken deliberately. Looking through the changelog and bug
list for src:dpkg I do see new hardening flags being added to the
default set. So the defaultse are being maintained.
Eventually, I found this:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=835146
where it seems that the merits of enabling bindnow are disputed?
And this extensive thread from 2016:
https://lists.debian.org/debian-devel/2016/11/msg00808.html
It would be great if someone who understands the underlying situation
would edit the wiki page to at least add some of these references.
Ideally we'd either revise the advice there or add a rationale
explaining why we're recommending that everyone should be setting
non-default options.
Thanks, all.
Ian.
--
Ian Jackson <[email protected]> These opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
