Bug#552688: Please decide how Debian should enable hardening build flags
Oh, I've thought of one additional detail in making these defaults.
"-Werror=format-security" was only recently added, and this will likely
cause a fair level of FTBFS from some packages. This is not one of the gcc
defaults used in Ubuntu. It was added to hardening-includes because h-i has
effectively been a low-volume opt-in build-dep.
Since switching to dpkg-buildflags is also opt-in, it probably shouldn't
hurt too much, but I have never attempted an archive-wide rebuild with
-Werror=format-security added to the hardening flags.
Personally, I think it's a good idea to fix them all, but on the other
hand, having _FORTIFY_SOURCE enabled _should_ block most of the dangerous
format string conditions. It won't block leaks, though, which could lead to
stack protection bypasses, etc.
So, I'll be sure to call it out in documentation. I may reproduce the
Ubuntu wiki page I wrote for reference in the Debian wiki, since it is
where we send people by default when the hardening flags cause problems:
Kees Cook @debian.org