[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

Paul Wise <pabs@debian.org> writes:

> Personally I think this is completely the wrong approach to take for
> compiler hardening flags. The flags should be enabled by default in
> upstream GCC and disabled by upstream software where they result in
> problems.

If we had followed that approach, we wouldn't have been able to use PIE,
since it breaks various programs if you enable it this way and isn't as
widely tested.  But because we developed a generic framework to add and
remove hardening flags that the maintainer has control over and can easily
tweak for the needs of their packages, I was able to enable PIE on nearly
all of my packages and just omit it for those packages it broke.

I think that clearly demonstrates the major advantages of having an
extensible framework that we can continue to adjust and modify going

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: