Re: Enabling hardened build flags for Wheezy
Charles Plessy <plessy@debian.org> schrieb:
> Le Wed, Feb 29, 2012 at 10:52:10PM +0100, Moritz Muehlenhoff a écrit :
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> Since it will be almost impossible to convert all packages before
>> Wheezy freezes, a specific sub-group of packages receives targeted
>> attention:
>>
>> * All packages, which have had a DSA since 2006
>> * All packages, which are of Priority >= important
>
> Dear Moritz and everybody,
>
> we are starting to receive bugs, severity important, for packages that are not
> of the above, where for instance the patch consists in bumping Debhelper's
> compatibility level from 8 to 9.
The specific subgroup above is the subset that I'm working on by tracking
the status, submitting patches etc.
The release goal for Wheezy is still "convert as many packages as possible",
so filing these bugs with "important" severity is fine since it's a releae
goal.
> In another bug, the problem is that CPPFLAGS is ignored in upstream's makefile.
> I understand that the semantics of CFLAGS and CPPFLAGS are not the same, but I
> also note that a large number of our upstreams are not making the difference
> and use CFLAGS as a catch-all varible.
>
> Would it be possible to pass -D_FORTIFY_SOURCE=2 in CFLAGS in addition to
> CPPFLAGS ?
Yes, that typically works. See the advice on appending CPPFLAGS to CFLAGS in
http://wiki.debian.org/HardeningWalkthrough
Cheers,
Moritz
Reply to: