On Sat, Dec 31, 2011 at 03:20:27PM +0100, Moritz Mühlenhoff wrote: > On Mon, Dec 26, 2011 at 08:43:18AM +0100, Mike Hommey wrote: > > On Sat, Dec 24, 2011 at 11:40:02PM +0100, Moritz Muehlenhoff wrote: > > > Package: iceweasel > > > Version: 9.0.1-1 > > > Severity: wishlist > > > > > > Please source the hardened build flags from dpkg-buildflags for > > > CPPFLAGS, CXXFLAGS and LDFLAGS for the iceweasel build. > > > > FWIW, dpkg-buildflags is extremely unuseful for that, because it mixes > > hardening flags with other flags. > > Is that because you use a different optimization level other than > O2? > > I've noticed that issue with a couple of packages, so I'm considering to > submit a patch for dpkg-buildflags, but I'd like to know if you see > different issues?
Yeah basically I like that the old way of doing hardening didn't mess with other flags. Though I'm not sure I like that there's not much of a fine grained tuning. For instance, I'm not sure -z relro buys anything worth, while it may have a significant startup performance impact on big applications. (and if I'm not mistaken, -z relro actually makes things not work with selinux, seeing how selinux already breaks the mprotect that removes the write bit on code sections after text relocations) Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org