Bug#552688: marked as done (Please decide how Debian should enable hardening build flags)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Thu, 31 May 2012 12:41:33 -0700
with message-id <87r4u0f89e.fsf@windlord.stanford.edu>
and subject line Re: Bug#552688: Please decide how Debian should enable hardening build flags
has caused the Debian Bug report #552688,
regarding Please decide how Debian should enable hardening build flags
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
552688: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bugs <submit@bugs.debian.org>
• Subject: enable hardening defaults
• From: Kees Cook <kees@debian.org>
• Date: Tue, 27 Oct 2009 14:24:41 -0700
• Message-id: <20091027212441.GB26691@outflux.net>

Package: gcc-4.4
Version: 4.4.2-1
Severity: wishlist
Tags: patch

Hello!

Based on the ubuntu-devel discussions[1], there are no objections yet
from other developers about enabling the hardened compiler defaults in
Debian.

Thanks,

-Kees

[1] http://lists.debian.org/debian-gcc/2009/10/msg00186.html

-- 
Kees Cook                                            @debian.org

diff -uNrp gcc-4.4-4.4.1/debian~/rules.defs gcc-4.4-4.4.1/debian/rules.defs
--- gcc-4.4-4.4.1/debian~/rules.defs	2009-10-25 10:46:48.000000000 -0700
+++ gcc-4.4-4.4.1/debian/rules.defs	2009-10-25 10:50:13.000000000 -0700
@@ -675,10 +675,8 @@ endif
 with_ssp := $(call envfilt, ssp, , , $(with_ssp))
 
 ifeq ($(with_ssp),yes)
-  ifneq ($(distribution),Debian)
-    ifneq (,$(findstring gcc-4, $(PKGSOURCE)))
-      with_ssp_default := yes
-    endif
+  ifneq (,$(findstring gcc-4, $(PKGSOURCE)))
+    with_ssp_default := yes
   endif
 endif
 
diff -uNrp gcc-4.4-4.4.1/debian~/rules.patch gcc-4.4-4.4.1/debian/rules.patch
--- gcc-4.4-4.4.1/debian~/rules.patch	2009-10-25 10:46:48.000000000 -0700
+++ gcc-4.4-4.4.1/debian/rules.patch	2009-10-25 10:49:47.000000000 -0700
@@ -64,14 +64,12 @@ debian_patches += \
 #endif
 
 hardening_patches =
-ifneq ($(distribution),Debian)
-  ifneq (,$(findstring gcc-4, $(PKGSOURCE)))
-    hardening_patches += gcc-default-format-security \
+ifneq (,$(findstring gcc-4, $(PKGSOURCE)))
+  hardening_patches += gcc-default-format-security \
 	gcc-default-fortify-source gcc-default-relro \
 	testsuite-hardening-format \
 	testsuite-hardening-fortify \
 	testsuite-hardening-printf-types
-  endif
 endif
 ifeq ($(with_ssp)-$(with_ssp_default),yes-yes)
   hardening_patches += gcc-default-ssp

--- End Message ---

--- Begin Message ---

• To: 552688-done@bugs.debian.org
• Subject: Re: Bug#552688: Please decide how Debian should enable hardening build flags
• From: Russ Allbery <rra@debian.org>
• Date: Thu, 31 May 2012 12:41:33 -0700
• Message-id: <87r4u0f89e.fsf@windlord.stanford.edu>

Following discussion of this bug in today's Technical Committee meeting on
IRC, we tentatively decided (assuming no objections from those who
couldn't make it) to decide this is resolved by the dpkg-buildflags work
and to close it without a vote.

If there are any objections, particularly from TC members who couldn't
make the meeting, or if anyone involved in this work feels that it would
be useful for the TC to make a formal decision, please let me know and
I'll reopen.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

--- End Message ---