Bug#552688: Please decide how Debian should enable hardening build flags

To: Raphael Hertzog <hertzog@debian.org>
Cc: 552688@bugs.debian.org
Subject: Bug#552688: Please decide how Debian should enable hardening build flags
From: Kees Cook <kees@debian.org>
Date: Thu, 28 Jul 2011 14:42:16 -0700
Message-id: <[🔎] 20110728214216.GB4946@outflux.net>
Mail-followup-to: debian-ctte@lists.debian.org
Reply-to: Kees Cook <kees@debian.org>, 552688@bugs.debian.org
In-reply-to: <[🔎] 20110728210216.GD3050@rivendell.home.ouaza.com>
References: <20101120151829.GB4506@rivendell.home.ouaza.com> <[🔎] 20110726213227.GF8766@rivendell.home.ouaza.com> <[🔎] 20110727215639.GB9465@rivendell.home.ouaza.com> <[🔎] 20110728203402.GV4946@outflux.net> <[🔎] 20110728210216.GD3050@rivendell.home.ouaza.com>

On Thu, Jul 28, 2011 at 11:02:16PM +0200, Raphael Hertzog wrote:
> On Thu, 28 Jul 2011, Kees Cook wrote:
> > On Wed, Jul 27, 2011 at 11:56:39PM +0200, Raphael Hertzog wrote:
> > > The current implementation in my branch is that PIE is disabled by defaut
> > > but if you set DEB_BUILD_HARDENING_PIE=1 then it will be used. This was
> > > easily done on top of the compatibility layer with
> > > hardening-includes/hardening-wrapper but I'm not convinced it's an
> > > interface we want to use for this transition.
> > 
> > If someone chose to build-dep on hardening-wrapper/hardening-includes, they
> > expect to have built PIE, so I think that the dpkg-buildflags default
> > should likely depend on that in some way.
> 
> Do you mean analyze the build-dep to automatically enable PIE? That
> doesn't seem clean and I'd rather have maintainer make it explicit.
> 
> If hardening-includes/hardening-wrapper is still used by that package,
> does it really matter what dpkg-buildflags is returning?

Yeah, all true. I guess it should be in the docs that cover migration from
h-i/h-w. Looking at the git branch, you've already handled the "and
supported" option, so just "DEB_BUILD_HARDENING_PIE=1" is sufficient.

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

Follow-Ups:
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Kees Cook <kees@debian.org>

References:
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Kees Cook <kees@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Raphael Hertzog <hertzog@debian.org>

Prev by Date: Bug#552688: [hertzog@debian.org: Bug#552688: Please decide how Debian should enable hardening build flags]
Next by Date: Bug#552688: Please decide how Debian should enable hardening build flags
Previous by thread: Bug#552688: Please decide how Debian should enable hardening build flags
Next by thread: Bug#552688: Please decide how Debian should enable hardening build flags
Index(es):
- Date
- Thread