Hardening release goal blocker
Hi,
So, recently it came to my attention that CDBS is not behaving very nicely with dpkg-buildflags, which is causing problems for us to meet the release goal of getting more packages built with compiler hardening enabled: https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags Notably, I'm curious about this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964 I think this is broken behavior on CDBS's part, and that the "some packages" mentioned should be fixed so that all the other packages aren't hampered by the problem. This is especially true in the face of: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651966 Which means there's no way sort of calling dpkg-buildflags directly to get a fully hardening build using only CDBS. :( What's the right way forward to have CDBS and dpkg-buildflags play nice together? :) Thanks, -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20111213231042.GP5169@outflux.net">http://lists.debian.org/20111213231042.GP5169@outflux.net |
Hardening release goal blocker
Hi,
On 11-12-13 at 03:10pm, Kees Cook wrote: > Hi, > > So, recently it came to my attention that CDBS is not behaving very > nicely with dpkg-buildflags, which is causing problems for us to meet > the release goal of getting more packages built with compiler > hardening enabled: > https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags > > Notably, I'm curious about this: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964 > > I think this is broken behavior on CDBS's part, and that the "some > packages" mentioned should be fixed so that all the other packages > aren't hampered by the problem. > > This is especially true in the face of: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651966 > > Which means there's no way sort of calling dpkg-buildflags directly to > get a fully hardening build using only CDBS. :( > > What's the right way forward to have CDBS and dpkg-buildflags play > nice together? :) I would be happy to change CDBS to always behave sanely (i.e. make CDBS_FIX_COMPILE_FLAGS=1 the default behaviour). This wouldm however, require someone to do the work of investigating and correcting any and all packages in the Debian archive that depends on the older arguably broken behaviour. Kind regards, - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private |
Hardening release goal blocker
On Wed, Dec 14, 2011 at 10:48:00AM +0700, Jonas Smedegaard wrote:
> On 11-12-13 at 03:10pm, Kees Cook wrote: > > Notably, I'm curious about this: > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964 > > > > I think this is broken behavior on CDBS's part, and that the "some > > packages" mentioned should be fixed so that all the other packages > > aren't hampered by the problem. > > I would be happy to change CDBS to always behave sanely (i.e. make > CDBS_FIX_COMPILE_FLAGS=1 the default behaviour). > > This wouldm however, require someone to do the work of investigating and > correcting any and all packages in the Debian archive that depends on > the older arguably broken behaviour. I'd be happy to help getting some bugs opened and doing rebuild tests. Is the failure condition easy to spot? -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org Archive: 20111214203809.GQ5169@outflux.net">http://lists.debian.org/20111214203809.GQ5169@outflux.net |
| All times are GMT. The time now is 02:03 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.