Re: Hardening patch
On Thu, 2011-09-08 at 08:59:50 +0200, Raphael Hertzog wrote:
> New patches attached.
> >From 8ea91d6285f490d583f85e1b1621a67ccb33e64a Mon Sep 17 00:00:00 2001
> From: =?UTF-8?q?Rapha=C3=ABl=20Hertzog?= <email@example.com>
> Date: Wed, 27 Jul 2011 22:10:49 +0200
> Subject: [PATCH 2/3] dpkg-buildflags: emit hardening build flags by default
> + # Decide what's enabled
> + my %use_feature = (
> + "pie" => 0,
> + "stackprotector" => 1,
> + "fortify" => 1,
> + "format" => 1,
> + "relro" => 1,
> + "bindnow" => 1
> + );
Any reason you seem to have ignored the concerns I rised about
defaulting to bindnow?
In any case I don't think enabling this w/o further data demonstrating
it's fine to do so is acceptable, as fixing any such regression would
imply needing to hunt down packages built with the new flags and trigger
binNMUs for them all. The default for it can always be changed later
on, I don't see the need to rush it?