Re: Bug#552688: Please decide how Debian should enable hardening build flags

Hi, On 25/01/2011 00:05, Kees Cook wrote: > On Mon, Jan 24, 2011 at 01:26:00PM -0800, Don Armstrong wrote: >> 4) What solution would you enact if the CTTE were to have hardening be >> on by default for all Debian packages, but disabled by default for the >> compiler as shipped? > > One of the o

Re: Bug#552688: Please decide how Debian should enable hardening build flags

On Mon, Jan 24, 2011 at 01:26:00PM -0800, Don Armstrong wrote: > On Fri, 21 Jan 2011, Kees Cook wrote: > > This is likely the core of the disagreement: how to apply the flags. > > I have a strong opinion about this because my perspective is > > security-oriented. I think all compiles should be hard

Re: Bug#552688: Please decide how Debian should enable hardening build flags

On Fri, 21 Jan 2011, Kees Cook wrote: > This is likely the core of the disagreement: how to apply the flags. > I have a strong opinion about this because my perspective is > security-oriented. I think all compiles should be hardened; default > to being secure, and whitelist that which needs things

Re: Bug#552688: Please decide how Debian should enable hardening build flags

On Sun, 21 Nov 2010, Matthias Klose wrote: > On Sat, 20 Nov 2010, Don Armstrong wrote: > >There are a couple of things here that should be worked out first > >before the CTTE can make a decision: > > I assume that there is a decision to turn on hardening defaults? No one has decided anything. I'm

Re: Bug#552688: Please decide how Debian should enable hardening build flags

dave b wrote: > On 21 November 2010 02:45, Jonathan Nieder wrote: >> Also, I am not the GCC maintainer, but from experience of receiving >> reports from people building software with Ubuntu, I think changing >> the defaults in GCC is quite wrong. > > Why do you think this? Well, I should scale t

Re: Bug#552688: Please decide how Debian should enable hardening build flags

On 21 November 2010 02:45, Jonathan Nieder wrote: > Hi, > > Raphael Hertzog wrote: > >> We have dpkg-buildflags available but few packages are using it and it's >> unlikely they will be all converted in the wheezy timeframe. > > I agree with the precise meaning of this statement, but the spirit se

Re: Bug#552688: Please decide how Debian should enable hardening build flags

Hi, Raphael Hertzog wrote: > We have dpkg-buildflags available but few packages are using it and it's > unlikely they will be all converted in the wheezy timeframe. I agree with the precise meaning of this statement, but the spirit seems quite wrong. For the packages I am involved in (not many)