On Sat, Dec 31, 2011 at 03:20:27PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Dec 26, 2011 at 08:43:18AM +0100, Mike Hommey wrote:
> > On Sat, Dec 24, 2011 at 11:40:02PM +0100, Moritz Muehlenhoff wrote:
> > > Package: iceweasel
> > > Version: 9.0.1-1
> > > Severity: wishlist
> > > 
> > > Please source the hardened build flags from dpkg-buildflags for
> > > CPPFLAGS, CXXFLAGS and LDFLAGS for the iceweasel build.
> > 
> > FWIW, dpkg-buildflags is extremely unuseful for that, because it mixes
> > hardening flags with other flags.
> 
> Is that because you use a different optimization level other than
> O2? 
> 
> I've noticed that issue with a couple of packages, so I'm considering to
> submit a patch for dpkg-buildflags, but I'd like to know if you see
> different issues?

Yeah basically I like that the old way of doing hardening didn't mess
with other flags. Though I'm not sure I like that there's not much of a
fine grained tuning. For instance, I'm not sure -z relro buys anything
worth, while it may have a significant startup performance impact on big
applications. (and if I'm not mistaken, -z relro actually makes things
not work with selinux, seeing how selinux already breaks the mprotect
that removes the write bit on code sections after text relocations)

Mike



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to