[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Enabling hardened build flags for Wheezy

Hash: SHA1


dpkg-buildflags allows a uniform setting of default build flags for
code written in C and C++. 

Using dpkg-build-flags in your rules files has a number of benefits:

1. dpkg-buildflags exports hardened build flags. These hardened build
flags mitigate/nullify some classes of security vulnerabilities and
make exploitation of security problems more difficult. The individual
hardening features are explained in the Debian wiki at

2. dpkg-buildflags allows rebuilding Debian with new/modified
flags. If e.g. someone wants to rebuild Debian for an embedded system
with -Os instead of -O2, all it needs is to patch dpkg-buildflags
instead of many packages individually.

3. dpkg-buildflags supports DEB_BUILD_OPTIONS=noopt (policy 4.9.1)
Right now only a few packages support it with manual debian/rules
tweaks, while dpkg-buildflags directly emits emits -O0 if noopt 
is set.

The most important reason for dpkg-buildflags is [1.] :
One of the Wheezy release goals is to build as many packages as
possible with a hardened toolchain by means of dpkg-buildflags:

I've written conversion documentation in the Debian Wiki to provide 
central step-by-step documentation:

If you miss anything in this document, please don't hesitate to
amend and improve it or ping me and I'll fix up missing
information myself. There are also some build systems, for which
instructions need to be investigated and documented, e.g. scons.

Since it will be almost impossible to convert all packages before
Wheezy freezes, a specific sub-group of packages receives targeted 

* All packages, which have had a DSA since 2006
* All packages, which are of Priority >= important

Out of these I already filed bugs for nearly all packages based on 
debhelper and submitted patches for most of them. Bugs for packages in
the targeted sub-group are tracked with the user tag goal-hardening
for the user hardening-discuss@lists.alioth.debian.org:


Progress so far has been quite good and nearly half the bugs have been
closed already.

More bugs will be filed in the next weeks, if you want to help with
that, please see the release goal wiki page and get in touch with me
or even better: Convert your packages before there's a chance to
file bugs for it :-)

But please still try to convert your packages before Wheezy even
if they don't fall in any of the categories above. The work for
hardened build flags over the past months has already identified
quite a few bugs, which have lingered in our code base for a long

Of course, if your packages is written in something other than C/C++, 
e.g. Java, pure Python, pure Perl or shell you don't need to do anything.

Version: GnuPG v1.4.11 (GNU/Linux)


Reply to: