FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 12-13-2011, 10:10 PM
Kees Cook
 
Default Hardening release goal blocker

Hi,

So, recently it came to my attention that CDBS is not behaving very nicely
with dpkg-buildflags, which is causing problems for us to meet the release
goal of getting more packages built with compiler hardening enabled:
https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags

Notably, I'm curious about this:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964

I think this is broken behavior on CDBS's part, and that the "some
packages" mentioned should be fixed so that all the other packages aren't
hampered by the problem.

This is especially true in the face of:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651966

Which means there's no way sort of calling dpkg-buildflags directly to get
a fully hardening build using only CDBS.

What's the right way forward to have CDBS and dpkg-buildflags play nice
together?

Thanks,

-Kees

--
Kees Cook @debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20111213231042.GP5169@outflux.net">http://lists.debian.org/20111213231042.GP5169@outflux.net
 
Old 12-14-2011, 02:48 AM
Jonas Smedegaard
 
Default Hardening release goal blocker

Hi,

On 11-12-13 at 03:10pm, Kees Cook wrote:
> Hi,
>
> So, recently it came to my attention that CDBS is not behaving very
> nicely with dpkg-buildflags, which is causing problems for us to meet
> the release goal of getting more packages built with compiler
> hardening enabled:
> https://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags
>
> Notably, I'm curious about this:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964
>
> I think this is broken behavior on CDBS's part, and that the "some
> packages" mentioned should be fixed so that all the other packages
> aren't hampered by the problem.
>
> This is especially true in the face of:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651966
>
> Which means there's no way sort of calling dpkg-buildflags directly to
> get a fully hardening build using only CDBS.
>
> What's the right way forward to have CDBS and dpkg-buildflags play
> nice together?

I would be happy to change CDBS to always behave sanely (i.e. make
CDBS_FIX_COMPILE_FLAGS=1 the default behaviour).

This wouldm however, require someone to do the work of investigating and
correcting any and all packages in the Debian archive that depends on
the older arguably broken behaviour.


Kind regards,

- Jonas

--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/

[x] quote me freely [ ] ask before reusing [ ] keep private
 
Old 12-14-2011, 07:38 PM
Kees Cook
 
Default Hardening release goal blocker

On Wed, Dec 14, 2011 at 10:48:00AM +0700, Jonas Smedegaard wrote:
> On 11-12-13 at 03:10pm, Kees Cook wrote:
> > Notably, I'm curious about this:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=651964
> >
> > I think this is broken behavior on CDBS's part, and that the "some
> > packages" mentioned should be fixed so that all the other packages
> > aren't hampered by the problem.
>
> I would be happy to change CDBS to always behave sanely (i.e. make
> CDBS_FIX_COMPILE_FLAGS=1 the default behaviour).
>
> This wouldm however, require someone to do the work of investigating and
> correcting any and all packages in the Debian archive that depends on
> the older arguably broken behaviour.

I'd be happy to help getting some bugs opened and doing rebuild tests. Is
the failure condition easy to spot?

-Kees

--
Kees Cook @debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20111214203809.GQ5169@outflux.net">http://lists.debian.org/20111214203809.GQ5169@outflux.net
 

Thread Tools




All times are GMT. The time now is 09:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org