Bug#796642: debian-policy: hardening is an afterthought and should never be

[Florian Weimer <fw@deneb.enyo.de>]

* Steve Langasek:

>> Harden flags set AND ENFORCED on build environment(harden package)
>
> There is no way to "enforce" the use of hardening flags.

There is a way, involving multiple steps:

1. Put -grecord-gcc-switches into the hardening flags.

2. Make debuginfo packages mandatory.

3. Make full debuginfo coverage for ELF objects mandatory.  This needs
   tooling which does not exist yet.

4. Check that all record GCC switches (see step 1) contain hardening
   flags.

5. Add the the checks to Lintian.

Steps 2 and 3 are the difficult ones.  There is independent work on
automatic debuginfo package generation, so step 2 might eventually
become a possibility.  Step 3 should be relatively straightforward to
write for someone who is familiar with elfutils and DWARF.  In fact,
eu-checksec is on my long-term TODO list, and steps 3 and 4 could be
part of that.