Re: Introducing security hardening features for Lenny
On Tue, Jan 29, 2008 at 04:15:27PM -0800, Kees Cook wrote:
> On Tue, Jan 29, 2008 at 11:17:37PM +0100, sean finney wrote:
> In trying to not duplicate effort, I've been working both in Debian and
> Ubuntu to help get these options enabled globally.
> > I have to repeat the question that tfheen asked on that list... why
> > DEB_BUILD_HARDENING=1, and not DEB_BUILD_OPTS=hardening (thus the same as
> > nostrip,noopt,etc).
> I'm all for making it as easy as possible to enable the flags. (Like I
> said in the other thread: patches welcome.) I'd probably want it to be
> "nohardening", making compiles hardened by default. :)
I also think it makes more sense to use DEB_BUILD_OPTIONS. OTOH, this
might introduce some transition problems, when we move to opt-in for
hardening to having a hardened toolchain by default and thus opt-out.
On the other hand, maybe the set of packages is orthogonal, i.e.
packages which might use hardening before the toolchain does by default
is probably a different set to the packages which want to disable
hardening after the move, due to some issues, not sure.