Re: Enabling hardened build flags for Wheezy
Le Wed, Feb 29, 2012 at 10:52:10PM +0100, Moritz Muehlenhoff a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Since it will be almost impossible to convert all packages before
> Wheezy freezes, a specific sub-group of packages receives targeted
> attention:
>
> * All packages, which have had a DSA since 2006
> * All packages, which are of Priority >= important
Dear Moritz and everybody,
we are starting to receive bugs, severity important, for packages that are not
of the above, where for instance the patch consists in bumping Debhelper's
compatibility level from 8 to 9.
I admit that I have strictly no understanding of the consequences of not fixing
these bugs in a timely manner. Severity important suggests to me that it is
better to solve that bug first before doing other works such as introducing new
features or updating other packages, and that there is an "important" risk for
our users of being victims of attacks that can be prevented by the hardening.
Perhaps people could file these bugs at a "normal" severity, if this is not the
case.
But my main question is the following:
In another bug, the problem is that CPPFLAGS is ignored in upstream's makefile.
I understand that the semantics of CFLAGS and CPPFLAGS are not the same, but I
also note that a large number of our upstreams are not making the difference
and use CFLAGS as a catch-all varible.
Would it be possible to pass -D_FORTIFY_SOURCE=2 in CFLAGS in addition to
CPPFLAGS ?
Have a nice day,
--
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan
Reply to: