[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#552688: Please decide how Debian should enable hardening build flags

On 21.11.2010 08:39, Raphael Hertzog wrote:
CCing Kees Cook, he has been the one leading the efforts up to now. I hope
he can answer your queries.


On Sat, 20 Nov 2010, Don Armstrong wrote:
There are a couple of things here that should be worked out first
before the CTTE can make a decision:

I assume that there is a decision to turn on hardening defaults? Who made it, and which defaults to turn on? Which ports should it use? Where is it documented? So involvement of the ctte seems to be a bit premature, asking the *how* before the *if*. As said before in the report, it should be reassigned to `general'.

1) Has gcc's upstream been approached about including this patch? What
was their response?

No idea.

Afaik, not submitted, and not upstreamable in this form.

2) Has the archive been successfully rebuilt with the proposed patch?

I think this patch is used in Ubuntu, so mostly yes. I guess Kees Cook or
Steve Langasek should be able to tell us a bit more.

3) Since Matthias has indicated that he doesn't have the resources to
steward this patch in Debian, who is going to work on maintaining it
if upstream isn't interested in the patch and the CTTE decides to
override Matthias?

Kees, would you be willing to take this responsibility in that case?

The patch itself is "maintained", however it requires patches to the testsuite which are not maintained. They are in 4.4, partially forwarded, incomplete for 4.5 and not done at all for trunk. So I do have an answer about the responsibility (and no, you won't convince me otherwise in a few weeks or months having seen this for years).

An additional effort is testing with upstream builds for submitting bug reports. I didn't see anybody to step up with this testing, when the toolchain diverges much more, compared to upstream.

Alternatives to patching gcc include making dpkg-buildflags more
prevalent, a wrapper that we require to install on buildds (coupled
with throwing away binary builds), or some combination of the above.

yes, I consider the current solution a hack, introduced in some derivates by the lack of resources to get it done properly as nearly any other distribution is doing it. Changes to the build flags should be injected in the package build system, not by changing the compiler itself. I first submitted a patch to introduce default flags from the environment, this was replaced/refined by dpkg-buildflags. Now please work on getting it honored in the package builds and maybe make it a policy for packages with a certain priority.


Reply to: