Re: Bits from the Security Team

To: Moritz Muehlenhoff <jmm@inutil.org>
Cc: Matthias Klose <doko@debian.org>, Paul Wise <pabs@debian.org>, debian-devel@lists.debian.org, security@debian.org
Subject: Re: Bits from the Security Team
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 08 Mar 2014 18:23:41 +0100
Message-id: <[🔎] 87siqsd2oy.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20140307094212.GA1695@inutil.org> (Moritz Muehlenhoff's message of "Fri, 7 Mar 2014 10:42:12 +0100")
References: <20140305190301.GA2912@pisco.westfalen.local> <[🔎] CAKTje6EGjEFXwGY2WDE_gHHWhBAxU5Pw52TZNeHexdgP7K5Bng@mail.gmail.com> <[🔎] 5317FAA6.6090809@debian.org> <[🔎] 20140307094212.GA1695@inutil.org>

* Moritz Muehlenhoff:

> I agree we should stick with dpkg-buildflags until this is fixed upstream.
> Gentoo Hardened tried to upstream this a year ago, but apparently this didn't make 
> the cut yet:
> http://gcc.gnu.org/ml/gcc-patches/2012-09/msg00473.html

This is interesting.  One potential issue here is that GCC doesn't
really know about _FORTIFY_SOURCE, and we'd like to see this covered
as well.

On the other hand, it is somewhat doubtful if we can come up with a
one-size-fits-all compile time option.  For example, Fedora wants to
enable -grecord-gcc-switches, but maybe Debian doesn't (e.g. because
it impacts reproducible builds).

Reply to:

Follow-Ups:
- Re: Bits from the Security Team
  - From: Paul Wise <pabs@debian.org>

References:
- Re: Bits from the Security Team
  - From: Paul Wise <pabs@debian.org>
- Re: Bits from the Security Team
  - From: Matthias Klose <doko@debian.org>
- Re: Bits from the Security Team
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Prev by Date: Re: Bug#740683: provide web service client package via stable-updates
Next by Date: Re: Bits from the Security Team
Previous by thread: Re: Bits from the Security Team
Next by thread: Re: Bits from the Security Team
Index(es):
- Date
- Thread