Re: Secure debian

[Colin Watson <cjwatson@debian.org>]

On Mon, Oct 20, 2025 at 08:24:46AM +0300, jasem masry wrote:
> I want to secure debian against vulnerabilities exploitation and I know
> that I should use compiler flags but the problem is there are many apps on
> the system should I compiling its app by app or there are a practical
> solution for that I want urls to articles on the web for the solution to
> save your time

Consider whether this is a good use of your time in the first place.  
Modern versions of Debian already apply a number of hardening options 
via compiler flags (see the output of "dpkg-buildflags", if you have the 
dpkg-dev package installed).  If you were to find additional strategies 
that were generally applicable across the whole distribution, then those 
would likely be things we'd want to enable in Debian; but a lot of 
people have already spent a lot of time on this in Debian, and if you're 
coming to it from scratch without prior experience, it would probably 
take quite some time before you found viable approaches that they 
didn't.

Unless you were to put a great deal of complex automation in place, I 
think it's likely that attempting to recompile everything with different 
compiler options would lose you more effective security (due to being 
slower to apply updates) than you'd gain.

In practical terms, your time is probably better spent on other 
approaches.  https://wiki.debian.org/SecurityManagement has some ideas 
and useful links.

--
Colin Watson (he/him)                              [cjwatson@debian.org]