Re: Enabling hardened build flags for Wheezy
On Thu, Mar 01, 2012 at 09:44:15AM +0100, Thijs Kinkhorst wrote:
> On Thu, March 1, 2012 00:11, Patrick Matthaei wrote:
> > Am 29.02.2012 23:57, schrieb Russ Allbery:
> >> Patrick Matthaei <firstname.lastname@example.org> writes:
> >>> I fully support the hardening goal.
> >>> May it be an option to add lintian errors (also non-fatal errors on
> >>> ftp-master side) about missing-hardening-build in the future?
> > But maybe it still would be an option to add am lintian warning
> > (regarding your above arguments throwing an error would not be the right
> > solution) about "maybe-missing-hardening"?
> > The maintainer would be aware about this potential problem, check his
> > package and if it is realy a false positive he still could overwrite it.
> There's already some discussion in this bug:
Progress is being made on this, but I've been slow. I got distracted by
some other things. I'm hoping to spend some time on it this weekend now
that all the infrastructure I need is in dpkg.
Speaking to the false positives problem, I've discussed with some
people the idea of having build flags be included in some sort of ELF
comment-like area that can be examined. That way it's becomes trivial to
answer "how was this built?" and all these crapy heuristic checks that
get thrown away. In the mean time, I'll continue to work on the crappy
heuristic checks. ;)
Kees Cook @debian.org