This was briefly discussed over on debian-devel. Would this something
Fedora might want to do, too?
-------- Original Message --------
Subject: Re: Bits from the Security Team
Resent-Date: Sat, 08 Mar 2014 18:24:06 +0100
Resent-From: Florian Weimer <fw(a)deneb.enyo.de>
Date: Fri, 7 Mar 2014 10:42:12 +0100
From: Moritz Muehlenhoff <jmm(a)inutil.org>
To: Matthias Klose <doko(a)debian.org>
CC: Paul Wise <pabs(a)debian.org>, debian-devel(a)lists.debian.org,
On Thu, Mar 06, 2014 at 05:33:42AM +0100, Matthias Klose wrote:
Am 06.03.2014 02:00, schrieb Paul Wise:
>> * The distribution hardening using dpkg-buildflags is coming along
> Unfortunately this doesn't apply to binaries compiled outside of the
> package building system. It would be great if we could adopt the
> Ubuntu approach of just enabling the flags in GCC itself. Even better
> would be to get GCC upstream to finally enable them by default.
This should not be enabled in the distro itself, and if, then not before it can
be enabled upstream. From my point of view it was a mistake to enable it this
way before getting this upstream. However it is a lot of work to get the
compiler to build itself with these flags and the testsuite produce the same
results as without these. In the past neither the Ubuntu security team nor the
Google ChromeOS team had time and resources to bring these patches upstream.
I agree we should stick with dpkg-buildflags until this is fixed upstream.
Gentoo Hardened tried to upstream this a year ago, but apparently this
the cut yet:
As for the GSoC project; GCC partiticates, if anyone wants to push this,
to talk to GCC developers and see whether there's a mentor available.
To UNSUBSCRIBE, email to debian-devel-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact