Re: Building perl and XS modules with hardening flags
On Sat, May 14, 2011 at 12:05:00AM +0200, Ansgar Burchardt wrote:
> I was wondering if it would make sense to build perl with hardening
> flags. This would it make harder to use bugs in the interpreter or the
> XS modules to compromise a system. It looks like Ubuntu already does
> this by default for all packages[1], so breakage should be limited.
>
> On Debian[2], hardening-includes provides a makefile snippet to set
> architecture-validated hardening flags.
>
> If deemed useful, we could try enabling them in perl 5.14 as I assume
> this will get some more testing in experimental.
It's not high up on my list of priorities at the moment, but I've
made a note of this at <http://wiki.debian.org/PerlMaintenance>.
Can we be sure that these changes will maintain binary compatibility?
If so, maybe the best first step will be to try the change on some
auxillary perl modules, prior to filing bugs on perl and any other
required build tools.
However I do wonder about the benefit of spending time on doing this
at a perl-specific level rather than working on getting the flags
enabled globally. Maybe we should wait to see what the outcome of the
BoF mentioned at
<http://lists.debian.org/debian-devel-announce/2011/01/msg00006.html>
will be.
Dominic.
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
Reply to: