On Fri, Mar 02, 2012 at 07:41:25PM +0100, Julian Taylor wrote: > On 03/02/2012 05:53 PM, Kees Cook wrote: > > On Fri, Mar 02, 2012 at 09:12:16AM +0100, Mike Hommey wrote: > >> On Thu, Mar 01, 2012 at 09:58:23PM -0800, Russ Allbery wrote: > >>> Kees Cook <k...@debian.org> writes: > >>> > >>>> Speaking to the false positives problem, I've discussed with some people > >>>> the idea of having build flags be included in some sort of ELF > >>>> comment-like area that can be examined. That way it's becomes trivial to > >>>> answer "how was this built?" and all these crapy heuristic checks that > >>>> get thrown away. In the mean time, I'll continue to work on the crappy > >>>> heuristic checks. ;) > >>> > >>> That sounds complicated, since there are separate compiler flags for every > >>> object (which may not match) and then the linker flags used to assemble > >>> the final executable or shared object. Does ELF give you object-specific > >>> comment areas? > >> > >> You can have a comment sections generated for each object (as a matter > >> of fact, gcc does that already to put its version), and the linker > >> aggregates them in a single section. > >> > >> I'm not a big fan of cluttering ELF binaries for a relatively small > >> benefit. Except maybe if that's moved with the debug info in > >> /usr/lib/debug. > > > > Yeah, I'm not sure what it'd look like, but I would want to see it > > upstream. Besides being an intrusive change, there are other projects > > interested in this kind of post-build analysis. > > > > -Kees > > > > if I understood it correctly gcc 4.7 will support adding its switches to > the debugging data: > > http://gcc.gnu.org/gcc-4.7/changes.html > Other significant improvements > A new option (-grecord-gcc-switches) was added that appends compiler > command-line options that might affect code generation to the > DW_AT_producer attribute string in the DWARF debugging information.
Ah-ha! That must be it. Thanks for finding that! So, yes, I guess it means that a solid lintian check can be run if the dbg packages are built also, or something along those lines. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120302211452.gl3...@outflux.net
