Bug#552688: [firstname.lastname@example.org: Bug#552688: Please decide how Debian should enable hardening build flags]
On Thu, 28 Jul 2011, Kees Cook wrote:
> > It would not be reasonable for dpkg-dev to depend on hardening-includes so
> > my plan was basically to move this logic into dpkg-dev. But instead of
> > duplicating it we can find a way for hardening-includes to reuse the logic
> > that would be integrated in dpkg-dev.
> That seems fine to me as long as I'm in a position to still be able to fix
> bugs in the logic. :)
Well, it's low-maintenance mode I hope so I have no problem merging your
patches whenever needed.
> I'm totally fine with h-i going away. The "hardening-check" script will
> need somewhere to live, though.
lintian? devscripts? dpkg-dev? I'm not sure what the best place is. But I
would really like lintian to check if all binaries are built with hardening
flags. It should probably not report any problem as long as one of
the hardening feature has been found.
That way it's still possible to disable some of the hardening features
without generating a warning that you have to override.
> Do you have an example of what the STRIP stuff would look like for a build?
> I don't want maintainers to have to know what all the individual flags are,
> especially since they might change, which is why I did what I did in h-i.
DEB_CFLAGS_MAINT_STRIP="-fPIE" DEB_LDFLAGS_MAINT_STRIP="-fPIE -pie" dpkg-buildflags
So yes it requires precise knowledge of the flag in use. To make this
less obnoxious I can certainly include a copy of the default flags
in the new /usr/share/dpkg/buildflags.mk file and let maintainer
use the variables listed there instead of hardcoding the precise set of
(I just did that in my pu/build-flags test branch)
But this is all rather verbose, maybe it's best to keep some separate
logic to enable/disable hardening features. Other opinions are welcome.
Maybe with a DEB_BUILD_MAINT_OPTIONS variable.
> Hopefully I explained this in the other thread. The situation is that
> everyone presently using h-w/i expects to build PIE, on architectures
> that _support_ it, including architectures that should not use it by
> _default_. So we need an easy way in a specific package to turn on PIE
> for architectures that support it, but for which we don't want it on by
Maybe something like this:
Raphaël Hertzog ◈ Debian Developer
Follow my Debian News ▶ http://RaphaelHertzog.com (English)
▶ http://RaphaelHertzog.fr (Français)