Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong

[Kees Cook <kees@debian.org>]

On Tue, Jun 24, 2014 at 06:33:33PM +0200, Romain Francoise wrote:
> On Tue, Jun 24, 2014 at 07:11:58AM -0700, Kees Cook wrote:
> > I wonder if there is any sensible way for dpkg-buildflags to detect (or
> > maybe just be told) which compile will be used for a build? Perhaps it
> > could take a new argument that would allow it to select flags based on the
> > compiler name and version?
> >
> >     dpkg-buildflags --compiler=gcc-4.7
> 
> Hmm. This could quickly become a huge headache, and in general I think
> that we shouldn't encourage maintainers to use a non-standard/older
> toolchain, it causes issues that go beyond hardening. So the cost of
> doing so (like disabling incompatible flags) should be borne by the
> package, not dpkg.
> 
> It would perhaps make more sense in terms of GCC vs. Clang, but in this
> case -fstack-protector-strong is already supported by Clang 3.5.

Sounds good to me! I would prefer the default just be the default,
honestly.

> >> * needs test suite upgrade for -fstack-protector-strong:
> >>   - hardening-wrapper 2.5
> 
> > I can get this fixed up. Though really hardening-wrapper should be
> > deprecated for Jessie.
> 
> I guess I should file a bug against hardening-wrapper in any case?

That would be helpful, thank you!

-Kees

-- 
Kees Cook                                            @debian.org