On Fri, 21 Jan 2011, Kees Cook wrote: > This is likely the core of the disagreement: how to apply the flags. > I have a strong opinion about this because my perspective is > security-oriented. I think all compiles should be hardened; default > to being secure, and whitelist that which needs things disabled. > Same policy applies to firewalls, etc. As before, I stand by my > original email that started this thread: > http://lists.debian.org/debian-gcc/2009/10/msg00186.html
1) Can a complete patch to enable hardening by default include specific documentation on how to disable it? [Can this "return to a default compiler" be made simpler than switching the three or four options currently used?] 2) The current state of the patch doesn't properly document that the flag is on by default; if the patch is enabled, it should say so in the documentation, not referencing a version of Ubuntu. 3) Who is willing to do a complete rebuild with the patch enabled and handle filing any bugs (with appropriate patches, ideally) that turn up? [On how many architectures?] 4) What solution would you enact if the CTTE were to have hardening be on by default for all Debian packages, but disabled by default for the compiler as shipped? Matthias: if #3 were to be done, and some mechanism of either doing #4 or #1 were required, what additional objections (if any) would you have? Don Armstrong -- Let me bring you up to speed: We know nothing. You are now up to speed. -- Steve Martin as Inspector Clouseau in _The Pink Panther 2_ (2009) http://www.donarmstrong.com http://rzlab.ucr.edu -- To UNSUBSCRIBE, email to debian-gcc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110124212600.gn19...@rzlab.ucr.edu
