[dropped debian-gcc from the CCs as this is probably rather off topic now] Hi Petter,
On Mon, Dec 21, 2009 at 08:16:08AM +0100, Petter Reinholdtsen wrote: > [Kees Cook] > > As an example, I have a debdiff against openssh to use it: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887 > > > > With the new package, the arch-specific logic for hardening defaults > > is in one place, and a maintainer can selectively disable anything they > > don't want on by default. > > This might be a good compromise to get network services hardened > without changing the default build system. Is there a plan for which That's certainly a viable plan. This is kind of the approach we took in Ubuntu for the PIE feature. We also considered packages with a less than stellar security history. The list of packages built with PIE in Ubuntu is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE ) amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4 ipsec-tools mysql-dfsg-5.1 nagios3 nagios-plugins ntp openbsd-inetd openldap openssh postfix postgreqsl-8.3 samba sendmail squid wireshark xinetd Many of these (and others) are already building in Debian with hardening-wrapper: aria2 bind9 bird confget cookietool cups dma donkey grap hexer hfsprogs isoquery jd jed kaptain libdebug limo mysql-dfsg-5.1 nast postfix postgresql-8.3 postgresql-8.4 prips quagga robodoc rtpproxy ser slrn squid strongswan switchsh tnftp wireshark worker xmahjongg zoem And built with hardening-includes: openbsd-inetd > packages to convert first? A patch for my netplan package would be > most welcome. :) I guess starting with the most popular ones is a good > idea, and realise netplan is not one of these. :) Well, every package is a little different in how CFLAGS and LDFLAGS get passed into the upstream build, so there isn't a strict recipe. Probably the most common would be to declare CFLAGS and LDFLAGS to the "configure" environment. For example in debian/rules: include /usr/share/hardening-includes/hardening.make CFLAGS += $(HARDENING_CFLAGS) LDFLAGS += $(HARDENING_LDFLAGS) ... binary-arch: ... ... CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" ./configure ... You can check the results of the build with "hardening-check" (in hardening-includes version 1.19). See its manpage for more details. > Personally I would prefer the build default to change instead, and a > mechanism to disable in per package for those that can't use the > hardening defaults, but realise it might be a risky path to take. I couldn't agree more. See /usr/share/hardening-includes/hardening.make for details, but a package trying to avoid the hardening flags could just set DEB_BUILD_HARDENING=0 in debian/rules. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
