[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

Russ Allbery <rra@debian.org> schrieb:
> Paul Wise <pabs@debian.org> writes:
>> Personally I think this is completely the wrong approach to take for
>> compiler hardening flags. The flags should be enabled by default in
>> upstream GCC and disabled by upstream software where they result in
>> problems.
> If we had followed that approach, we wouldn't have been able to use PIE,
> since it breaks various programs if you enable it this way and isn't as
> widely tested.  But because we developed a generic framework to add and
> remove hardening flags that the maintainer has control over and can easily
> tweak for the needs of their packages, I was able to enable PIE on nearly
> all of my packages and just omit it for those packages it broke.
> I think that clearly demonstrates the major advantages of having an
> extensible framework that we can continue to adjust and modify going
> forward.

Fully agreed. dpkg-buildflags also provides benefits outside of security
hardening, e.g. by allowing to rebuild Debian packages or the whole archive
with deviating build flags.


Reply to: