[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hardening build flags release goal

On Mon, Sep 05, 2011 at 10:52:40AM +0200, Raphael Hertzog wrote:
> we're not very far from having hardening build flags set by default by
> dpkg-buildflags (waiting on some documentation update that Kees should
> take care of).

I'm about halfway through this. Just brushing up on my groff syntax. ;)

> I would like to find one or two persons to lead a new release goal
> centered around hardening. The big goal is to have the maximum number of
> packages using hardening by the time Wheezy is released but it could
> include more specific sub-goals like "all packages with priority >=
> standard should use dpkg-buildflags properly" or "all packages providing a
> daemon should use dpkg-buildflags properly".

It might be better to extend it further, like "all network daemons using
dpkg-buildflags properly and enabling PIE"

> It's up to whoever does the work to define their methodology of work but
> it's probably interesting to write some script to detect whether a package
> is using dpkg-buildflags. Rebuilding packages with a custom
> dpkg-buildflags configuration that adds a fake flag and analyzing the
> build logs has been suggested (see #628516).

There's already "hardening-includes"'s hardening-check script, which
would be nice to merge into lintian somehow.


Kees Cook                                            @debian.org

Reply to: