This was briefly discussed over on debian-devel. Would this something Fedora might want to do, too?
-------- Original Message -------- Subject: Re: Bits from the Security Team Resent-Date: Sat, 08 Mar 2014 18:24:06 +0100 Resent-From: Florian Weimer fw@deneb.enyo.de Resent-To: fweimer@redhat.com Date: Fri, 7 Mar 2014 10:42:12 +0100 From: Moritz Muehlenhoff jmm@inutil.org To: Matthias Klose doko@debian.org CC: Paul Wise pabs@debian.org, debian-devel@lists.debian.org, security@debian.org
On Thu, Mar 06, 2014 at 05:33:42AM +0100, Matthias Klose wrote:
Am 06.03.2014 02:00, schrieb Paul Wise:
- The distribution hardening using dpkg-buildflags is coming along nicely.
Unfortunately this doesn't apply to binaries compiled outside of the package building system. It would be great if we could adopt the Ubuntu approach of just enabling the flags in GCC itself. Even better would be to get GCC upstream to finally enable them by default.
This should not be enabled in the distro itself, and if, then not before it can be enabled upstream. From my point of view it was a mistake to enable it this way before getting this upstream. However it is a lot of work to get the compiler to build itself with these flags and the testsuite produce the same results as without these. In the past neither the Ubuntu security team nor the Google ChromeOS team had time and resources to bring these patches upstream.
I agree we should stick with dpkg-buildflags until this is fixed upstream. Gentoo Hardened tried to upstream this a year ago, but apparently this didn't make the cut yet: http://gcc.gnu.org/ml/gcc-patches/2012-09/msg00473.html
As for the GSoC project; GCC partiticates, if anyone wants to push this, I suggest to talk to GCC developers and see whether there's a mentor available.
Cheers, Moritz
security@lists.fedoraproject.org
-
Florian Weimer