Bug#552688: Please decide how Debian should enable hardening build flags

To: Raphael Hertzog <hertzog@debian.org>
Cc: 552688@bugs.debian.org
Subject: Bug#552688: Please decide how Debian should enable hardening build flags
From: Kees Cook <kees@debian.org>
Date: Thu, 28 Jul 2011 14:46:28 -0700
Message-id: <[🔎] 20110728214628.GC4946@outflux.net>
Mail-followup-to: debian-ctte@lists.debian.org
Reply-to: Kees Cook <kees@debian.org>, 552688@bugs.debian.org
In-reply-to: <[🔎] 20110728214216.GB4946@outflux.net>
References: <20101120151829.GB4506@rivendell.home.ouaza.com> <[🔎] 20110726213227.GF8766@rivendell.home.ouaza.com> <[🔎] 20110727215639.GB9465@rivendell.home.ouaza.com> <[🔎] 20110728203402.GV4946@outflux.net> <[🔎] 20110728210216.GD3050@rivendell.home.ouaza.com> <[🔎] 20110728214216.GB4946@outflux.net>

On Thu, Jul 28, 2011 at 02:42:16PM -0700, Kees Cook wrote:
> On Thu, Jul 28, 2011 at 11:02:16PM +0200, Raphael Hertzog wrote:
> > If hardening-includes/hardening-wrapper is still used by that package,
> > does it really matter what dpkg-buildflags is returning?
> 
> Yeah, all true. I guess it should be in the docs that cover migration from
> h-i/h-w. Looking at the git branch, you've already handled the "and
> supported" option, so just "DEB_BUILD_HARDENING_PIE=1" is sufficient.

That said, maintainers may want to disable hardening features on a
file-by-file basis. Right now, it's possible to use all the stuff defined
in hardening.make to get at those for filtering. It seems like we need
something similar here? (Basically, the corner case described at line 102
of hardening.make.)

-Kees

-- 
Kees Cook                                            @debian.org

Reply to:

Follow-Ups:
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Kees Cook <kees@debian.org>

References:
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Kees Cook <kees@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Kees Cook <kees@debian.org>

Prev by Date: Bug#552688: Please decide how Debian should enable hardening build flags
Next by Date: Bug#552688: [hertzog@debian.org: Bug#552688: Please decide how Debian should enable hardening build flags]
Previous by thread: Bug#552688: Please decide how Debian should enable hardening build flags
Next by thread: Bug#552688: Please decide how Debian should enable hardening build flags
Index(es):
- Date
- Thread