On Tue, Jan 29, 2008 at 04:15:27PM -0800, Kees Cook wrote: > On Tue, Jan 29, 2008 at 11:17:37PM +0100, sean finney wrote: > In trying to not duplicate effort, I've been working both in Debian and > Ubuntu to help get these options enabled globally. > > > I have to repeat the question that tfheen asked on that list... why > > DEB_BUILD_HARDENING=1, and not DEB_BUILD_OPTS=hardening (thus the same as > > nostrip,noopt,etc). > > I'm all for making it as easy as possible to enable the flags. (Like I > said in the other thread: patches welcome.) I'd probably want it to be > "nohardening", making compiles hardened by default. :)
I also think it makes more sense to use DEB_BUILD_OPTIONS. OTOH, this might introduce some transition problems, when we move to opt-in for hardening to having a hardened toolchain by default and thus opt-out. On the other hand, maybe the set of packages is orthogonal, i.e. packages which might use hardening before the toolchain does by default is probably a different set to the packages which want to disable hardening after the move, due to some issues, not sure. Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
