[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: release goal proposal: enable hardening build flags

On 2011-09-14 18:36, Kees Cook wrote:
> Hi,
> On Wed, Sep 14, 2011 at 08:02:13AM +0200, Niels Thykier wrote:
>> I have two questions so far.  First what usertag will you be using for
>> the bugs (if any)?  As far as I can tell, there is not listed on the
>> wiki.  Secondly, where can I (or will I be able to) see the progress of
>> this goal?
> Ah, right, I forgot that in the proposal. How about "goal-hardening"? I'll
> add that to the wiki[1].

Sounds good; which "user" did you want to use for it?  The link on the
wiki does not seem to include it.

> Once the subgoal package lists have settled, I was going to build a little
> graphing tool like is done for build systems. I don't have any code written
> yet, but I figure a combination of looking at debian/control, compat for
> the build system or hardening-wrapper use, and maybe build log analysis and
> it'd be good to go.
> -Kees
> [1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags

I assume that we are interested in ensuring that there are no
"regressions" in this area.  Perhaps a Lintian check would be in order?
 As far as I can tell hardening-check only uses readelf + grep, so there
should not be any issues in implementing it.
  The question is if the check is reliable (i.e. works on all
architectures) and if there are any caveats (i.e. only works with GCC
compiled binaries).

Anyhow, with a Lintian tag you would naturally have a progress tracker
(at least after #641468 is fixed)[1] and a "regression" check.


[1] See /srv/lintian.debian.org/history/tags/${tag}.dat

Reply to: