Re: [RFC PATCH] dpkg-buildflags: Switch to -fstack-protector-strong
On Tue, Jun 24, 2014 at 07:11:58AM -0700, Kees Cook wrote:
> I wonder if there is any sensible way for dpkg-buildflags to detect (or
> maybe just be told) which compile will be used for a build? Perhaps it
> could take a new argument that would allow it to select flags based on the
> compiler name and version?
>
> dpkg-buildflags --compiler=gcc-4.7
Hmm. This could quickly become a huge headache, and in general I think
that we shouldn't encourage maintainers to use a non-standard/older
toolchain, it causes issues that go beyond hardening. So the cost of
doing so (like disabling incompatible flags) should be borne by the
package, not dpkg.
It would perhaps make more sense in terms of GCC vs. Clang, but in this
case -fstack-protector-strong is already supported by Clang 3.5.
>> * needs test suite upgrade for -fstack-protector-strong:
>> - hardening-wrapper 2.5
> I can get this fixed up. Though really hardening-wrapper should be
> deprecated for Jessie.
I guess I should file a bug against hardening-wrapper in any case?
Thanks,
--
Romain Francoise <rfrancoise@debian.org>
http://people.debian.org/~rfrancoise/
Reply to: