Bug#552688: Please decide how Debian should enable hardening build flags
On Thu, 28 Jul 2011, Kees Cook wrote:
> Oh, I've thought of one additional detail in making these defaults.
> "-Werror=format-security" was only recently added, and this will likely
> cause a fair level of FTBFS from some packages. This is not one of the gcc
> defaults used in Ubuntu. It was added to hardening-includes because h-i has
> effectively been a low-volume opt-in build-dep.
> Since switching to dpkg-buildflags is also opt-in, it probably shouldn't
> hurt too much, but I have never attempted an archive-wide rebuild with
> -Werror=format-security added to the hardening flags.
It's not opt-in for all packages, any package using "dh" and CDBS is
already using dpkg-buildflags... so we should definitely get some
statistics before deciding to keep this by default.
Can you do the work of collecting those statistics? Tollef has access
to a big machine where building all package takes 14h. Roger Leigh used
it for that kind of research.
Maybe you can do the rebuild without -Werror=format-security and just grep
the log to find out those that would fail.
Raphaël Hertzog ◈ Debian Developer
Follow my Debian News ▶ http://RaphaelHertzog.com (English)
▶ http://RaphaelHertzog.fr (Français)