Re: Hardening build flags release goal
On Mon, Sep 05, 2011 at 10:52:40AM +0200, Raphael Hertzog wrote:
> we're not very far from having hardening build flags set by default by
> dpkg-buildflags (waiting on some documentation update that Kees should
> take care of).
I'm about halfway through this. Just brushing up on my groff syntax. ;)
> I would like to find one or two persons to lead a new release goal
> centered around hardening. The big goal is to have the maximum number of
> packages using hardening by the time Wheezy is released but it could
> include more specific sub-goals like "all packages with priority >=
> standard should use dpkg-buildflags properly" or "all packages providing a
> daemon should use dpkg-buildflags properly".
It might be better to extend it further, like "all network daemons using
dpkg-buildflags properly and enabling PIE"
> It's up to whoever does the work to define their methodology of work but
> it's probably interesting to write some script to detect whether a package
> is using dpkg-buildflags. Rebuilding packages with a custom
> dpkg-buildflags configuration that adds a fake flag and analyzing the
> build logs has been suggested (see #628516).
There's already "hardening-includes"'s hardening-check script, which
would be nice to merge into lintian somehow.
Kees Cook @debian.org