* Steve Langasek: >> Harden flags set AND ENFORCED on build environment(harden package) > > There is no way to "enforce" the use of hardening flags.
There is a way, involving multiple steps: 1. Put -grecord-gcc-switches into the hardening flags. 2. Make debuginfo packages mandatory. 3. Make full debuginfo coverage for ELF objects mandatory. This needs tooling which does not exist yet. 4. Check that all record GCC switches (see step 1) contain hardening flags. 5. Add the the checks to Lintian. Steps 2 and 3 are the difficult ones. There is independent work on automatic debuginfo package generation, so step 2 might eventually become a possibility. Step 3 should be relatively straightforward to write for someone who is familiar with elfutils and DWARF. In fact, eu-checksec is on my long-term TODO list, and steps 3 and 4 could be part of that.
