[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling hardened build flags for Wheezy

Le Wed, Feb 29, 2012 at 10:52:10PM +0100, Moritz Muehlenhoff a écrit :
> Since it will be almost impossible to convert all packages before
> Wheezy freezes, a specific sub-group of packages receives targeted 
> attention:
> * All packages, which have had a DSA since 2006
> * All packages, which are of Priority >= important

Dear Moritz and everybody,

we are starting to receive bugs, severity important, for packages that are not
of the above, where for instance the patch consists in bumping Debhelper's
compatibility level from 8 to 9.

I admit that I have strictly no understanding of the consequences of not fixing
these bugs in a timely manner.  Severity important suggests to me that it is
better to solve that bug first before doing other works such as introducing new
features or updating other packages, and that there is an "important" risk for
our users of being victims of attacks that can be prevented by the hardening.
Perhaps people could file these bugs at a "normal" severity, if this is not the

But my main question is the following:

In another bug, the problem is that CPPFLAGS is ignored in upstream's makefile.
I understand that the semantics of CFLAGS and CPPFLAGS are not the same, but I
also note that a large number of our upstreams are not making the difference
and use CFLAGS as a catch-all varible.

Would it be possible to pass -D_FORTIFY_SOURCE=2 in CFLAGS in addition to

Have a nice day,

Charles Plessy
Debian Med packaging team,
Tsurumi, Kanagawa, Japan

Reply to: