Bug#552688: Please decide how Debian should enable hardening build flags
On Thu, Jul 28, 2011 at 02:42:16PM -0700, Kees Cook wrote:
> On Thu, Jul 28, 2011 at 11:02:16PM +0200, Raphael Hertzog wrote:
> > If hardening-includes/hardening-wrapper is still used by that package,
> > does it really matter what dpkg-buildflags is returning?
> Yeah, all true. I guess it should be in the docs that cover migration from
> h-i/h-w. Looking at the git branch, you've already handled the "and
> supported" option, so just "DEB_BUILD_HARDENING_PIE=1" is sufficient.
That said, maintainers may want to disable hardening features on a
file-by-file basis. Right now, it's possible to use all the stuff defined
in hardening.make to get at those for filtering. It seems like we need
something similar here? (Basically, the corner case described at line 102
Kees Cook @debian.org