Re: Bits from the Security Team
On Thu, Mar 06, 2014 at 05:33:42AM +0100, Matthias Klose wrote:
> Am 06.03.2014 02:00, schrieb Paul Wise:
> >> * The distribution hardening using dpkg-buildflags is coming along
> >> nicely.
> >
> > Unfortunately this doesn't apply to binaries compiled outside of the
> > package building system. It would be great if we could adopt the
> > Ubuntu approach of just enabling the flags in GCC itself. Even better
> > would be to get GCC upstream to finally enable them by default.
>
> This should not be enabled in the distro itself, and if, then not before it can
> be enabled upstream. From my point of view it was a mistake to enable it this
> way before getting this upstream. However it is a lot of work to get the
> compiler to build itself with these flags and the testsuite produce the same
> results as without these. In the past neither the Ubuntu security team nor the
> Google ChromeOS team had time and resources to bring these patches upstream.
I agree we should stick with dpkg-buildflags until this is fixed upstream.
Gentoo Hardened tried to upstream this a year ago, but apparently this didn't make
the cut yet:
http://gcc.gnu.org/ml/gcc-patches/2012-09/msg00473.html
As for the GSoC project; GCC partiticates, if anyone wants to push this, I suggest
to talk to GCC developers and see whether there's a mentor available.
Cheers,
Moritz
Reply to: