Bug#552688: Please decide how Debian should enable hardening build flags
On 21.11.2010 08:39, Raphael Hertzog wrote:
CCing Kees Cook, he has been the one leading the efforts up to now. I hope
he can answer your queries.
On Sat, 20 Nov 2010, Don Armstrong wrote:
There are a couple of things here that should be worked out first
before the CTTE can make a decision:
I assume that there is a decision to turn on hardening defaults? Who made it,
and which defaults to turn on? Which ports should it use? Where is it
documented? So involvement of the ctte seems to be a bit premature, asking the
*how* before the *if*. As said before in the report, it should be reassigned to
1) Has gcc's upstream been approached about including this patch? What
was their response?
Afaik, not submitted, and not upstreamable in this form.
2) Has the archive been successfully rebuilt with the proposed patch?
I think this patch is used in Ubuntu, so mostly yes. I guess Kees Cook or
Steve Langasek should be able to tell us a bit more.
3) Since Matthias has indicated that he doesn't have the resources to
steward this patch in Debian, who is going to work on maintaining it
if upstream isn't interested in the patch and the CTTE decides to
Kees, would you be willing to take this responsibility in that case?
The patch itself is "maintained", however it requires patches to the testsuite
which are not maintained. They are in 4.4, partially forwarded, incomplete for
4.5 and not done at all for trunk. So I do have an answer about the
responsibility (and no, you won't convince me otherwise in a few weeks or months
having seen this for years).
An additional effort is testing with upstream builds for submitting bug reports.
I didn't see anybody to step up with this testing, when the toolchain diverges
much more, compared to upstream.
Alternatives to patching gcc include making dpkg-buildflags more
prevalent, a wrapper that we require to install on buildds (coupled
with throwing away binary builds), or some combination of the above.
yes, I consider the current solution a hack, introduced in some derivates by the
lack of resources to get it done properly as nearly any other distribution is
doing it. Changes to the build flags should be injected in the package build
system, not by changing the compiler itself. I first submitted a patch to
introduce default flags from the environment, this was replaced/refined by
dpkg-buildflags. Now please work on getting it honored in the package builds
and maybe make it a policy for packages with a certain priority.