Re: Bits from the Security Team

To: Paul Wise <pabs@debian.org>, debian-devel@lists.debian.org, security@debian.org
Subject: Re: Bits from the Security Team
From: Matthias Klose <doko@debian.org>
Date: Thu, 06 Mar 2014 05:33:42 +0100
Message-id: <[🔎] 5317FAA6.6090809@debian.org>
In-reply-to: <[🔎] CAKTje6EGjEFXwGY2WDE_gHHWhBAxU5Pw52TZNeHexdgP7K5Bng@mail.gmail.com>
References: <20140305190301.GA2912@pisco.westfalen.local> <[🔎] CAKTje6EGjEFXwGY2WDE_gHHWhBAxU5Pw52TZNeHexdgP7K5Bng@mail.gmail.com>

Am 06.03.2014 02:00, schrieb Paul Wise:
>> * The distribution hardening using dpkg-buildflags is coming along
>>   nicely.
> 
> Unfortunately this doesn't apply to binaries compiled outside of the
> package building system. It would be great if we could adopt the
> Ubuntu approach of just enabling the flags in GCC itself. Even better
> would be to get GCC upstream to finally enable them by default.

This should not be enabled in the distro itself, and if, then not before it can
be enabled upstream.  From my point of view it was a mistake to enable it this
way before getting this upstream.  However it is a lot of work to get the
compiler to build itself with these flags and the testsuite produce the same
results as without these.  In the past neither the Ubuntu security team nor the
Google ChromeOS team had time and resources to bring these patches upstream.

  Matthias

Reply to:

Follow-Ups:
- Re: Bits from the Security Team
  - From: Paul Wise <pabs@debian.org>
- Re: Bits from the Security Team
  - From: Moritz Muehlenhoff <jmm@inutil.org>

References:
- Re: Bits from the Security Team
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Bug#740904: ITP: glamour -- beautiful 2D game with princesses for young girls
Next by Date: Re: Bits from the Security Team
Previous by thread: Re: Bits from the Security Team
Next by thread: Re: Bits from the Security Team
Index(es):
- Date
- Thread