[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Hardening release goal blocker


On 11-12-13 at 03:10pm, Kees Cook wrote:
> Hi,
> So, recently it came to my attention that CDBS is not behaving very 
> nicely with dpkg-buildflags, which is causing problems for us to meet 
> the release goal of getting more packages built with compiler 
> hardening enabled: 
> https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
> Notably, I'm curious about this: 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964
> I think this is broken behavior on CDBS's part, and that the "some 
> packages" mentioned should be fixed so that all the other packages 
> aren't hampered by the problem.
> This is especially true in the face of:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651966
> Which means there's no way sort of calling dpkg-buildflags directly to 
> get a fully hardening build using only CDBS. :(
> What's the right way forward to have CDBS and dpkg-buildflags play 
> nice together? :)

I would be happy to change CDBS to always behave sanely (i.e. make 
CDBS_FIX_COMPILE_FLAGS=1 the default behaviour).

This wouldm however, require someone to do the work of investigating and 
correcting any and all packages in the Debian archive that depends on 
the older arguably broken behaviour.

Kind regards,

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

Attachment: signature.asc
Description: Digital signature

Reply to: