On Sat, Nov 20, 2010 at 04:18:29PM +0100, Raphael Hertzog wrote: > We have dpkg-buildflags available but few packages are using it and it's > unlikely they will be all converted in the wheezy timeframe. (And everytime I > discuss how packages should communicate to dpkg-buildflags whether or not > they want/support hardening build flags (and which one in particular), the > discussion stalls).
It would be easy to add hardening-includes a dep of dpkg-buildflags, and have it pull in the defaults. (Though perhaps PIE should be turned off by default in this case.) > I would really like Debian to build hardened binaries by default and it > would be great if the switch could happen early in the wheezy cycle. For > this I think we need to have a clear plan and I hope the technical > committee can bring some clarity here. Either by overruling the GCC > maintainer or by designing the missing pieces so that we can at least go > forward (I would implement what's needed in dpkg-dev if I knew what's > needed). I stand by my preference for this being done in the compiler defaults itself. I've been maintaining in Ubuntu for years now, it's not very hard to keep the patch up to date. That said, I do recognize that it creates a delta from upstream gcc and makes it harder to diagnose compiler bugs. I would like to have upstream take a --configure build-time option for gcc for these defaults, but I haven't made any headway on it. -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-gcc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110121195506.gh4...@outflux.net
