Re: Enabling hardened build flags for Wheezy

To: debian-devel@lists.debian.org
Subject: Re: Enabling hardened build flags for Wheezy
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 2 Mar 2012 18:47:31 +0100
Message-id: <[🔎] slrnjl21tj.jlm.jmm@inutil.org>
References: <20120229215210.GA4774@pisco.westfalen.local> <[🔎] CAKTje6ERGZPx0xztJO2fa4+w0MOM3BGv4vHTkTGdDHJFcxXCkA@mail.gmail.com> <[🔎] 87boohw42t.fsf@windlord.stanford.edu>

Russ Allbery <rra@debian.org> schrieb:
> Paul Wise <pabs@debian.org> writes:
>
>> Personally I think this is completely the wrong approach to take for
>> compiler hardening flags. The flags should be enabled by default in
>> upstream GCC and disabled by upstream software where they result in
>> problems.
>
> If we had followed that approach, we wouldn't have been able to use PIE,
> since it breaks various programs if you enable it this way and isn't as
> widely tested.  But because we developed a generic framework to add and
> remove hardening flags that the maintainer has control over and can easily
> tweak for the needs of their packages, I was able to enable PIE on nearly
> all of my packages and just omit it for those packages it broke.
>
> I think that clearly demonstrates the major advantages of having an
> extensible framework that we can continue to adjust and modify going
> forward.

Fully agreed. dpkg-buildflags also provides benefits outside of security
hardening, e.g. by allowing to rebuild Debian packages or the whole archive
with deviating build flags.

Cheers,
        Moritz

Reply to:

References:
- Re: Enabling hardened build flags for Wheezy
  - From: Paul Wise <pabs@debian.org>
- Re: Enabling hardened build flags for Wheezy
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Enabling hardened build flags for Wheezy
Next by Date: Re: Enabling hardened build flags for Wheezy
Previous by thread: Re: Enabling hardened build flags for Wheezy
Next by thread: Re: Enabling hardened build flags for Wheezy
Index(es):
- Date
- Thread