Re: Please decide how Debian should enable hardening build flags

To: Matthias Klose <doko@debian.org>
Cc: Raphael Hertzog <hertzog@debian.org>, Don Armstrong <don@debian.org>, 552688@bugs.debian.org, gcc@packages.debian.org
Subject: Re: Please decide how Debian should enable hardening build flags
From: Kees Cook <kees@debian.org>
Date: Fri, 21 Jan 2011 12:07:25 -0800
Message-id: <20110121200725.GJ4979@outflux.net>
In-reply-to: <4CE8D697.2060104@debian.org>
References: <20101120151829.GB4506@rivendell.home.ouaza.com> <20101121030333.GZ16131@teltox.donarmstrong.com> <20101121073921.GB11156@rivendell.home.ouaza.com> <4CE8D697.2060104@debian.org>

Hi Matthias,

On Sun, Nov 21, 2010 at 09:21:43AM +0100, Matthias Klose wrote:
> I assume that there is a decision to turn on hardening defaults?
> Who made it, and which defaults to turn on?  Which ports should it
> use?  Where is it documented?  So involvement of the ctte seems to

The hardening-wrapper package has all of the combinations and ports
well-declared. For example:

ifneq (,$(filter $(DEB_HOST_ARCH_CPU), ia64 alpha mips mipsel hppa arm ))
  # Stack protector disabled on ia64, alpha, mips, mipsel, hppa.
  #   "warning: -fstack-protector not supported for this target"
  # Stack protector disabled on arm (ok on armel).
  #   compiler supports it incorrectly (leads to SEGV)
  DEB_BUILD_HARDENING_STACKPROTECTOR ?= 0
endif
DEB_BUILD_HARDENING_STACKPROTECTOR ?= 1

etc

> The patch itself is "maintained", however it requires patches to the
> testsuite which are not maintained. They are in 4.4, partially
> forwarded, incomplete for 4.5 and not done at all for trunk.  So I
> do have an answer about the responsibility (and no, you won't
> convince me otherwise in a few weeks or months having seen this for
> years).

Since this, I've gotten half the testsuite changes into upstream, so this
has improved. The testsuite work is extremely time-consuming, and I've been
very slow to get that work done, unfortunately.

> yes, I consider the current solution a hack, introduced in some
> derivates by the lack of resources to get it done properly as nearly
> any other distribution is doing it.  Changes to the build flags
> should be injected in the package build system, not by changing the
> compiler itself.  I first submitted a patch to introduce default
> flags from the environment, this was replaced/refined by
> dpkg-buildflags.  Now please work on getting it honored in the
> package builds and maybe make it a policy for packages with a
> certain priority.

This is likely the core of the disagreement: how to apply the
flags. I have a strong opinion about this because my perspective is
security-oriented. I think all compiles should be hardened; default
to being secure, and whitelist that which needs things disabled. Same
policy applies to firewalls, etc. As before, I stand by my original email
that started this thread:
http://lists.debian.org/debian-gcc/2009/10/msg00186.html

-Kees

-- 
Kees Cook                                            @debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Bug#552688: Please decide how Debian should enable hardening build flags
  - From: Don Armstrong <don@debian.org>

Prev by Date: V i r u s News in the w o r l d
Next by Date: Re: Please decide how Debian should enable hardening build flags
Previous by thread: V i r u s News in the w o r l d
Next by thread: Re: Bug#552688: Please decide how Debian should enable hardening build flags
Index(es):
- Date
- Thread