Hi, On 11-12-13 at 03:10pm, Kees Cook wrote: > Hi, > > So, recently it came to my attention that CDBS is not behaving very > nicely with dpkg-buildflags, which is causing problems for us to meet > the release goal of getting more packages built with compiler > hardening enabled: > https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags > > Notably, I'm curious about this: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964 > > I think this is broken behavior on CDBS's part, and that the "some > packages" mentioned should be fixed so that all the other packages > aren't hampered by the problem. > > This is especially true in the face of: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651966 > > Which means there's no way sort of calling dpkg-buildflags directly to > get a fully hardening build using only CDBS. :( > > What's the right way forward to have CDBS and dpkg-buildflags play > nice together? :)
I would be happy to change CDBS to always behave sanely (i.e. make CDBS_FIX_COMPILE_FLAGS=1 the default behaviour). This wouldm however, require someone to do the work of investigating and correcting any and all packages in the Debian archive that depends on the older arguably broken behaviour. Kind regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: Digital signature
