Re: Enabling hardened build flags for Wheezy

To: debian-devel@lists.debian.org
Subject: Re: Enabling hardened build flags for Wheezy
From: Russ Allbery <rra@debian.org>
Date: Wed, 29 Feb 2012 16:35:38 -0800
Message-id: <[🔎] 87boohw42t.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] CAKTje6ERGZPx0xztJO2fa4+w0MOM3BGv4vHTkTGdDHJFcxXCkA@mail.gmail.com> (Paul Wise's message of "Thu, 1 Mar 2012 08:23:36 +0800")
References: <20120229215210.GA4774@pisco.westfalen.local> <[🔎] CAKTje6ERGZPx0xztJO2fa4+w0MOM3BGv4vHTkTGdDHJFcxXCkA@mail.gmail.com>

Paul Wise <pabs@debian.org> writes:

> Personally I think this is completely the wrong approach to take for
> compiler hardening flags. The flags should be enabled by default in
> upstream GCC and disabled by upstream software where they result in
> problems.

If we had followed that approach, we wouldn't have been able to use PIE,
since it breaks various programs if you enable it this way and isn't as
widely tested.  But because we developed a generic framework to add and
remove hardening flags that the maintainer has control over and can easily
tweak for the needs of their packages, I was able to enable PIE on nearly
all of my packages and just omit it for those packages it broke.

I think that clearly demonstrates the major advantages of having an
extensible framework that we can continue to adjust and modify going
forward.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: Enabling hardened build flags for Wheezy
  - From: Moritz Mühlenhoff <jmm@inutil.org>

References:
- Re: Enabling hardened build flags for Wheezy
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: Enabling hardened build flags for Wheezy
Next by Date: Re: Multiarch file overlap summary and proposal
Previous by thread: Re: Enabling hardened build flags for Wheezy
Next by thread: Re: Enabling hardened build flags for Wheezy
Index(es):
- Date
- Thread