Re: Enabling hardened build flags for Wheezy

[Charles Plessy <plessy@debian.org>]

Le Thu, Mar 08, 2012 at 12:26:46AM +0900, Charles Plessy a écrit :
> 
> Thanks (and thanks Cyril) for the hint.  Still there are two things
> I do not understand:
> 
>  - Why and when it is a problem to add preprocessor flags in CFLAGS.
> 
>  - Why we chose the solution that require more extensive changes
>    to the packages.

Sorry to rant again, but am I the only one thinking that we are in most of the
case wasting everybody's time by not simply passing all the hardening flags by
default in CFLAGS ?  In my experience (and I maintain more than 100 packages),
it is extremely rare to need to ensure that the compiler, preprocessor and
linker flags are in three separate variables.

When we need to modify a large number of packages in order to propagate a
change, isn't this meaning that we are not picking the most efficient defaults ?

Anyway, I am starting to push some makefile patches upstream.  And in the
meantime, I am not doing anything particularly interesting for Debian.  In
contrary, I spend less time, because the tedious micromanagement of the
compiler flags is so boring and looks so useless, yet it is necessary to enable
hardening flags that are 'important' in our BTS.  Seriously, which package in
Debian directly benefits from the split of the hardening flags in three
separate variables ?  What other features than hardening are using this ?

Cheers,

-- 
Charles Plessy
Debian Med packaging team,
http://www.debian.org/devel/debian-med
Tsurumi, Kanagawa, Japan