Re: Please decide how Debian should enable hardening build flags
On Sat, Nov 20, 2010 at 04:18:29PM +0100, Raphael Hertzog wrote:
> We have dpkg-buildflags available but few packages are using it and it's
> unlikely they will be all converted in the wheezy timeframe. (And everytime I
> discuss how packages should communicate to dpkg-buildflags whether or not
> they want/support hardening build flags (and which one in particular), the
> discussion stalls).
It would be easy to add hardening-includes a dep of dpkg-buildflags, and
have it pull in the defaults. (Though perhaps PIE should be turned off by
default in this case.)
> I would really like Debian to build hardened binaries by default and it
> would be great if the switch could happen early in the wheezy cycle. For
> this I think we need to have a clear plan and I hope the technical
> committee can bring some clarity here. Either by overruling the GCC
> maintainer or by designing the missing pieces so that we can at least go
> forward (I would implement what's needed in dpkg-dev if I knew what's
I stand by my preference for this being done in the compiler defaults
itself. I've been maintaining in Ubuntu for years now, it's not very hard
to keep the patch up to date.
That said, I do recognize that it creates a delta from upstream gcc and
makes it harder to diagnose compiler bugs. I would like to have upstream
take a --configure build-time option for gcc for these defaults, but I
haven't made any headway on it.
Kees Cook @debian.org