Re: Switch on compiler hardening defaults
On Thu, 24 Dec 2009, Kees Cook wrote:
> That's certainly a viable plan. This is kind of the approach we took in
> Ubuntu for the PIE feature. We also considered packages with a less than
> stellar security history. The list of packages built with PIE in Ubuntu
> is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE )
>
> amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
amavisd-new is perl, does that need PIE? Or do you mean the C utilities
(which are not network services but on the other hand are not
performance-sensitive anyway so might as well enable it just in case)?
Anyway, I'd appreciate a bug report against amavisd-new with whatever
information is pertinent about PIE, if you guys want us to add it to the
package.
> I couldn't agree more. See /usr/share/hardening-includes/hardening.make
> for details, but a package trying to avoid the hardening flags could just
> set DEB_BUILD_HARDENING=0 in debian/rules.
Can we get a standard DEB_BUILD_OPTIONS while that is still possible?
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: