Hi, With so many maintainers working to make sure that dpkg-buildflags defaults are getting into their packages, I thought it might be fun to see what sort of progress has been on security hardening build flags[1].
I took an optimistic approach to the data, since there are situations where lacking stack-protector and fortify isn't a mistake[2]. I assume that if any hardening features is found in any binary package, then the source package was built with that feature intentionally enabled. For collection, I used the amd64 architecture, and my approach was: - report count of all source packages that produce at least 1 binary package that contains at least 1 ELF. - report count of all source packages that produce at least 1 binary package that contains at least 1 ELF that is built with stack-protector. - same again for fortify, relro, bindnow, and pie. sources building ELFs: 9429 built with stackprotector: 1845 (19.6%) built with fortify: 1058 (11.2%) built with relro: 1521 (16.1%) built with bindnow: 385 (4.1%) built with pie: 363 (3.4%) This is very exciting! It was only a short time ago when just a handful of packages were building with hardening options. Now we're almost to 20% on stack-protector. :) Thank you everyone for your great work! I'm going to work on getting this graphed daily, like the debhelper statistics[3]. -Kees [1] http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags [2] http://wiki.debian.org/Hardening#Validation [3] http://www.chiark.greenend.org.uk/ucgi/~cjwatson/blosxom/debian/2010-07-10-debhelper-statistics-redux.html -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120401074937.gj8...@outflux.net
