On Tue, Jun 24, 2014 at 06:33:33PM +0200, Romain Francoise wrote: > On Tue, Jun 24, 2014 at 07:11:58AM -0700, Kees Cook wrote: > > I wonder if there is any sensible way for dpkg-buildflags to detect (or > > maybe just be told) which compile will be used for a build? Perhaps it > > could take a new argument that would allow it to select flags based on the > > compiler name and version? > > > > dpkg-buildflags --compiler=gcc-4.7 > > Hmm. This could quickly become a huge headache, and in general I think > that we shouldn't encourage maintainers to use a non-standard/older > toolchain, it causes issues that go beyond hardening. So the cost of > doing so (like disabling incompatible flags) should be borne by the > package, not dpkg. > > It would perhaps make more sense in terms of GCC vs. Clang, but in this > case -fstack-protector-strong is already supported by Clang 3.5.
Sounds good to me! I would prefer the default just be the default, honestly. > >> * needs test suite upgrade for -fstack-protector-strong: > >> - hardening-wrapper 2.5 > > > I can get this fixed up. Though really hardening-wrapper should be > > deprecated for Jessie. > > I guess I should file a bug against hardening-wrapper in any case? That would be helpful, thank you! -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140624164004.gs5...@outflux.net
