Control: tags -1 pending On 2014-12-10 08:30, Thijs Kinkhorst wrote: > Package: release-notes > Severity: wishlist > Tags: patch > > Hi, > > Attached patch renames the "Hardening" section to "Security", adds mention > of the removed SSLv3 protocol and progress on hardened build flags. > > > Cheers, > Thijs >
Hi Thijs, I have applied and committed your patch with 3 changes. These changes are: * In the first paragraph, avoid implying that all packages have been compiled without SSLv3 support (as I recall, at least openssl still have it, and given it removes symbols/breaks ABI to remove them, will keep it for Jessie) * Replaced &oldrelease; with &Oldreleasename; (the former resolves to "7" and the latter to "Wheezy"). * Added a "they" in the sentence: """[...], so [they] are not used automatically when locally building software""" Please take a minute to review the resulting patch, ~Niels
>From 7f6c76e721e6cd0991808c13537c930eaadc743f Mon Sep 17 00:00:00 2001 From: nthykier <nthykier@313b444b-1b9f-4f58-a734-7bb04f332e8d> Date: Thu, 11 Dec 2014 18:33:20 +0000 Subject: [PATCH] en/whats-new: Update security section Heavily based on patch from Thijs Kinkhorst. Signed-off-by: Niels Thykier <ni...@thykier.net> git-svn-id: svn+ssh://svn.debian.org/svn/ddp/manuals/trunk/release-notes@10520 313b444b-1b9f-4f58-a734-7bb04f332e8d --- en/whats-new.dbk | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/en/whats-new.dbk b/en/whats-new.dbk index 86f3982..7244d3d 100644 --- a/en/whats-new.dbk +++ b/en/whats-new.dbk @@ -441,17 +441,21 @@ TODO: Need to include stuff from <5447ec14.2070...@debian.org> </para> </section> -<section id="hardening" condition="fixme"> - <title>Hardened security</title> - <para> -TODO: Even more packages / coverage? - </para> +<section id="security" condition="fixme"> + <title>Security</title> + <para>The legacy secure sockets layer protocol SSLv3 has been + disabled in this release in many packages. Many System cryptography + libraries as well as servers and client applications have been + compiled or configured without support for this protocol.</para> - <para>Note that the hardened build flags are not enabled by default in - <systemitem role="package">gcc</systemitem>, so are not used automatically - when locally building software. The package - <systemitem role="package">hardening-wrapper</systemitem> can provide a - <systemitem>gcc</systemitem> with these flags enabled. + <para>Continuing on the path set by &Oldreleasename;, more packages + have been built with hardened compiler flags. Also, the stack + protector flag has been switched to stack-protector-strong for extra + hardening. Note that the hardened build flags are not enabled by + default in <systemitem role="package">gcc</systemitem>, so they are + not used automatically when locally building software. The package + <systemitem role="package">hardening-wrapper</systemitem> can + provide a <systemitem>gcc</systemitem> with these flags enabled. </para> </section> -- 2.1.3
