On Thu, Mar 06, 2014 at 05:33:42AM +0100, Matthias Klose wrote: > Am 06.03.2014 02:00, schrieb Paul Wise: > >> * The distribution hardening using dpkg-buildflags is coming along > >> nicely. > > > > Unfortunately this doesn't apply to binaries compiled outside of the > > package building system. It would be great if we could adopt the > > Ubuntu approach of just enabling the flags in GCC itself. Even better > > would be to get GCC upstream to finally enable them by default. > > This should not be enabled in the distro itself, and if, then not before it > can > be enabled upstream. From my point of view it was a mistake to enable it this > way before getting this upstream. However it is a lot of work to get the > compiler to build itself with these flags and the testsuite produce the same > results as without these. In the past neither the Ubuntu security team nor > the > Google ChromeOS team had time and resources to bring these patches upstream.
I agree we should stick with dpkg-buildflags until this is fixed upstream. Gentoo Hardened tried to upstream this a year ago, but apparently this didn't make the cut yet: http://gcc.gnu.org/ml/gcc-patches/2012-09/msg00473.html As for the GSoC project; GCC partiticates, if anyone wants to push this, I suggest to talk to GCC developers and see whether there's a mentor available. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140307094212.ga1...@inutil.org
