Hi all, A few weeks ago I mentioned on -devel[1] that dpkg-buildflags would be switching from -fstack-protector to -fstack-protector-strong, a new GCC 4.9 feature. This change has now landed in unstable with dpkg 1.17.11. Moritz tells me that the Security Team can request binNMUs for a set of packages that have been identified as security-sensitive[2] if they don't get rebuilt with the new flag by the time we freeze for jessie. However, I think it would be better to ensure maximum coverage of the archive by rebuilding everything that can benefit from the flag, i.e. all the packages that use dpkg-buildflags via debhelper >= 9 or cdbs, and produce arch:any binaries. Has this kind of mass binNMU been attempted before? Who would I need to talk to to get this done at least on amd64 and i386 before the freeze? Thanks, [1]: https://lists.debian.org/debian-devel/2014/06/msg00453.html [2]: http://anonscm.debian.org/viewvc/secure-testing/hardening/ -- Romain Francoise <rfrancoise@debian.org> http://people.debian.org/~rfrancoise/
Attachment:
signature.asc
Description: PGP signature