Re: Switch on compiler hardening defaults

To: debian-gcc@lists.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Switch on compiler hardening defaults
From: Petter Reinholdtsen <pere@hungry.com>
Date: Mon, 21 Dec 2009 08:16:08 +0100
Message-id: <2fld428n6fb.fsf@login1.uio.no>
References: <20091025185525.GI6711@outflux.net> <4AEDD920.2060604@debian.org> <20091105044004.GL26691@outflux.net> <slrnhgoh2h.2es.jmm@inutil.org> <20091221023037.GR5396@outflux.net>

[Kees Cook]
> As an example, I have a debdiff against openssh to use it:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
>
> With the new package, the arch-specific logic for hardening defaults
> is in one place, and a maintainer can selectively disable anything they
> don't want on by default.

This might be a good compromise to get network services hardened
without changing the default build system.  Is there a plan for which
packages to convert first?  A patch for my netplan package would be
most welcome. :) I guess starting with the most popular ones is a good
idea, and realise netplan is not one of these. :)

Personally I would prefer the build default to change instead, and a
mechanism to disable in per package for those that can't use the
hardening defaults, but realise it might be a risky path to take.

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

References:
- Re: Switch on compiler hardening defaults
  - From: Kees Cook <kees@debian.org>

Prev by Date: Re: Switch on compiler hardening defaults
Next by Date: gcj-4.4 4.4.2-4 MIGRATED to testing
Previous by thread: Re: Switch on compiler hardening defaults
Next by thread: Re: Switch on compiler hardening defaults
Index(es):
- Date
- Thread