Re: Please decide how Debian should enable hardening build flags
Hi Raphael,
On Sun, Nov 21, 2010 at 08:39:21AM +0100, Raphael Hertzog wrote:
> On Sat, 20 Nov 2010, Don Armstrong wrote:
> > There are a couple of things here that should be worked out first
> > before the CTTE can make a decision:
> >
> > 1) Has gcc's upstream been approached about including this patch? What
> > was their response?
>
> No idea.
Zorry from Gentoo was working on a --configure option. In general, upstream
gcc is against global behavioral changes like this. I can try to open some
discussion with them, though.
> > 2) Has the archive been successfully rebuilt with the proposed patch?
>
> I think this patch is used in Ubuntu, so mostly yes. I guess Kees Cook or
> Steve Langasek should be able to tell us a bit more.
Yes, all of Ubuntu has been compiled with hardening enabled since Oct 2008.
As mentioned in the original thread[1], the only thing needed to turn it on
in Debian is to just not filter the patch list in Debian[2].
[1] http://lists.debian.org/debian-gcc/2009/10/msg00186.html
[2] http://outflux.net/hardening-for-all.patch
> > 3) Since Matthias has indicated that he doesn't have the resources to
> > steward this patch in Debian, who is going to work on maintaining it
> > if upstream isn't interested in the patch and the CTTE decides to
> > override Matthias?
>
> Kees, would you be willing to take this responsibility in that case?
I already am maintaining this patchset (since it is used in Ubuntu, and the
package is shared between Debian and Ubuntu). The core of Matthias's
objection to using it in Debian is that it it leaves him with no "stock"
gcc to diagnose compiler bugs with. While "gcc-snapshot" exists, there is
nothing like "gcc-4.5-stock", though perhaps that might be a solution to
that objection, though that would add yet-another-package-of-gcc.
-Kees
--
Kees Cook @debian.org
Reply to: