[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#552688: Please decide how Debian should enable hardening build flags


On Thu, 28 Jul 2011, Kees Cook wrote:
> On Wed, Jul 27, 2011 at 11:56:39PM +0200, Raphael Hertzog wrote:
> > The current implementation in my branch is that PIE is disabled by defaut
> > but if you set DEB_BUILD_HARDENING_PIE=1 then it will be used. This was
> > easily done on top of the compatibility layer with
> > hardening-includes/hardening-wrapper but I'm not convinced it's an
> > interface we want to use for this transition.
> If someone chose to build-dep on hardening-wrapper/hardening-includes, they
> expect to have built PIE, so I think that the dpkg-buildflags default
> should likely depend on that in some way.

Do you mean analyze the build-dep to automatically enable PIE? That
doesn't seem clean and I'd rather have maintainer make it explicit.

If hardening-includes/hardening-wrapper is still used by that package,
does it really matter what dpkg-buildflags is returning?

> The problem here is that h-w/i defaults to PIE-when-supported rather than
> PIE-when-supported-and-desired, so having a maintainer explicitly set
> DEB_BUILD_HARDENING_PIE=1 will trigger FTBFS on the architectures that
> don't support it. I think we'll need some other flag instead that means
> "PIE if possible" when moving to dpkg-buildflags from h-w/i.

Why? If a package migrates from h-w/i to dpkg-buildflags I don't expect
it to keep using h-w/i.

> There's a lot of ways to do this. I'm not sure what is best. What's
> important to me is that maintainers that were using h-w/i don't suddenly
> end up with builds that aren't PIE, since they explicitly chose to build
> with PIE (unless they also explicitly chose to disable it).

That seems a matter of properly documenting the transition from one to the

Raphaël Hertzog ◈ Debian Developer

Follow my Debian News ▶ http://RaphaelHertzog.com (English)
                      ▶ http://RaphaelHertzog.fr (Français)

Reply to: