Bug#552688: Please decide how Debian should enable hardening build flags
On Sun, 21 Nov 2010, Matthias Klose wrote:
> I assume that there is a decision to turn on hardening defaults?
> Who made it, and which defaults to turn on? Which ports should it
> use? Where is it documented? So involvement of the ctte seems to
> be a bit premature, asking the *how* before the *if*. As said
> before in the report, it should be reassigned to `general'.
Any past discussion that I remember, a vast majority of people were in
favor of hardening and discussions stalled on the implementation details.
I don't think that reassigning it to general will help in any way.
> An additional effort is testing with upstream builds for submitting
> bug reports. I didn't see anybody to step up with this testing,
> when the toolchain diverges much more, compared to upstream.
I don't understand what you are referring to here. Can you elaborate a
> yes, I consider the current solution a hack, introduced in some
> derivates by the lack of resources to get it done properly as nearly
> any other distribution is doing it. Changes to the build flags
> should be injected in the package build system, not by changing the
> compiler itself. I first submitted a patch to introduce default
> flags from the environment, this was replaced/refined by
> dpkg-buildflags. Now please work on getting it honored in the
> package builds and maybe make it a policy for packages with a
> certain priority.
I think the proper solution is a combination of both approaches. There's
no reason we should continue to not have hardened builds for all packages
right now (in particular when everybody else have them).
Packages should be able to opt-in/opt-out by using dpkg-buildflags
properly. The flags returned by dpkg-buildflags could include some sort of
"--no-magical-defaults-behind-my-back" so that dpkg-buildflags is then
entirely in control, and it can even disable hardening build for the
packages where it breaks.
The day when all packages are using dpkg-buildflags properly, then we can
drop that patch in gcc.
Raphaël Hertzog ◈ Debian Developer
Follow my Debian News ▶ http://RaphaelHertzog.com (English)
▶ http://RaphaelHertzog.fr (Français)