Enabling hardened build flags for Wheezy

To: debian-devel-announce@lists.debian.org
Subject: Enabling hardened build flags for Wheezy
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Wed, 29 Feb 2012 22:52:10 +0100
Message-id: <[🔎] 20120229215210.GA4774@pisco.westfalen.local>
Mail-followup-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

dpkg-buildflags allows a uniform setting of default build flags for
code written in C and C++.

Using dpkg-build-flags in your rules files has a number of benefits:

1. dpkg-buildflags exports hardened build flags. These hardened build
flags mitigate/nullify some classes of security vulnerabilities and
make exploitation of security problems more difficult. The individual
hardening features are explained in the Debian wiki at
http://wiki.debian.org/Hardening

2. dpkg-buildflags allows rebuilding Debian with new/modified
flags. If e.g. someone wants to rebuild Debian for an embedded system
with -Os instead of -O2, all it needs is to patch dpkg-buildflags
instead of many packages individually.

3. dpkg-buildflags supports DEB_BUILD_OPTIONS=noopt (policy 4.9.1)
Right now only a few packages support it with manual debian/rules
tweaks, while dpkg-buildflags directly emits emits -O0 if noopt
is set.

The most important reason for dpkg-buildflags is [1.] :
One of the Wheezy release goals is to build as many packages as
possible with a hardened toolchain by means of dpkg-buildflags:
http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags

I've written conversion documentation in the Debian Wiki to provide
central step-by-step documentation:
http://wiki.debian.org/HardeningWalkthrough

If you miss anything in this document, please don't hesitate to
amend and improve it or ping me and I'll fix up missing
information myself. There are also some build systems, for which
instructions need to be investigated and documented, e.g. scons.

Since it will be almost impossible to convert all packages before
Wheezy freezes, a specific sub-group of packages receives targeted
attention:

* All packages, which have had a DSA since 2006
* All packages, which are of Priority >= important

Out of these I already filed bugs for nearly all packages based on
debhelper and submitted patches for most of them. Bugs for packages in
the targeted sub-group are tracked with the user tag goal-hardening
for the user hardening-discuss@lists.alioth.debian.org:

http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=goal-hardening;users=hardening-discuss@lists.alioth.debian.org

Progress so far has been quite good and nearly half the bugs have been
closed already.

More bugs will be filed in the next weeks, if you want to help with
that, please see the release goal wiki page and get in touch with me
or even better: Convert your packages before there's a chance to
file bugs for it :-)

But please still try to convert your packages before Wheezy even
if they don't fall in any of the categories above. The work for
hardened build flags over the past months has already identified
quite a few bugs, which have lingered in our code base for a long
time.

Of course, if your packages is written in something other than C/C++,
e.g. Java, pure Python, pure Perl or shell you don't need to do anything.

Cheers,
Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk9OnRgACgkQXm3vHE4uylqNPACg7cGPLmV2r7m8Er5rCuzWEX0L
tlUAnA3LpN9A5jorO8p17vnhSOljPmKX
=wf6j
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Second Debian Edu Squeeze based release candidate, 6.0.4 edu rc2
Previous by thread: Second Debian Edu Squeeze based release candidate, 6.0.4 edu rc2
Index(es):
- Date
- Thread