Re: Introducing security hardening features for Lenny

[Michael Banck <mbanck@debian.org>]

On Tue, Jan 29, 2008 at 04:15:27PM -0800, Kees Cook wrote:
> On Tue, Jan 29, 2008 at 11:17:37PM +0100, sean finney wrote:
> In trying to not duplicate effort, I've been working both in Debian and
> Ubuntu to help get these options enabled globally.
> 
> > I have to repeat the question that tfheen asked on that list... why 
> > DEB_BUILD_HARDENING=1, and not DEB_BUILD_OPTS=hardening (thus the same as 
> > nostrip,noopt,etc).
> 
> I'm all for making it as easy as possible to enable the flags.  (Like I
> said in the other thread: patches welcome.)  I'd probably want it to be
> "nohardening", making compiles hardened by default.  :)

I also think it makes more sense to use DEB_BUILD_OPTIONS.  OTOH, this
might introduce some transition problems, when we move to opt-in for
hardening to having a hardened toolchain by default and thus opt-out.

On the other hand, maybe the set of packages is orthogonal, i.e.
packages which might use hardening before the toolchain does by default
is probably a different set to the packages which want to disable
hardening after the move, due to some issues, not sure.


Michael