On Mon, Sep 05, 2011 at 10:52:40AM +0200, Raphael Hertzog wrote: > we're not very far from having hardening build flags set by default by > dpkg-buildflags (waiting on some documentation update that Kees should > take care of).
I'm about halfway through this. Just brushing up on my groff syntax. ;) > I would like to find one or two persons to lead a new release goal > centered around hardening. The big goal is to have the maximum number of > packages using hardening by the time Wheezy is released but it could > include more specific sub-goals like "all packages with priority >= > standard should use dpkg-buildflags properly" or "all packages providing a > daemon should use dpkg-buildflags properly". It might be better to extend it further, like "all network daemons using dpkg-buildflags properly and enabling PIE" > It's up to whoever does the work to define their methodology of work but > it's probably interesting to write some script to detect whether a package > is using dpkg-buildflags. Rebuilding packages with a custom > dpkg-buildflags configuration that adds a fake flag and analyzing the > build logs has been suggested (see #628516). There's already "hardening-includes"'s hardening-check script, which would be nice to merge into lintian somehow. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110905212239.ga18...@outflux.net
