Russ Allbery <[email protected]> schrieb:
> Paul Wise <[email protected]> writes:
>
>> Personally I think this is completely the wrong approach to take for
>> compiler hardening flags. The flags should be enabled by default in
>> upstream GCC and disabled by upstream software where they result in
>> problems.
>
> If we had followed that approach, we wouldn't have been able to use PIE,
> since it breaks various programs if you enable it this way and isn't as
> widely tested. But because we developed a generic framework to add and
> remove hardening flags that the maintainer has control over and can easily
> tweak for the needs of their packages, I was able to enable PIE on nearly
> all of my packages and just omit it for those packages it broke.
>
> I think that clearly demonstrates the major advantages of having an
> extensible framework that we can continue to adjust and modify going
> forward.
Fully agreed. dpkg-buildflags also provides benefits outside of security
hardening, e.g. by allowing to rebuild Debian packages or the whole archive
with deviating build flags.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
Archive: http://lists.debian.org/[email protected]
