Bug#653191: Please enable hardened build flags through dpkg-buildpackage
intrigeri
intrigeri at debian.org
Wed Apr 18 08:06:00 UTC 2012
tags 653191 + patch
thanks
Hi Mike,
Moritz Mühlenhoff wrote (14 Jan 2012 12:34:45 GMT) :
> But it would be nice if you could enable the protected stack and
> fortified source features for iceweasel and iceape.
The attached patch enables the protected stack and fortified source
build flags.
Given concerns were raised regarding dpkg-buildflags injecting
non-hardening flags, the attached patch uses the DEB_*_MAINT_STRIP
variables to strip any such non-hardening flags dpkg-buildflags would
normally inject (namely: -g -O2).
The resulting binary (10.0.3esr-3 + my patch) works fine for me on my
Debian sid system.
For the record, I have intentionally left relro, bindnow and PIE for
further discussion and iterations: better have iceweasel built with
minimal hardening flags than none. Note, though, that Ubuntu's Firefox
binary has been built with all these features for a while; any idea
how other major distributions do?
Regards,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iceweasel-hardening.patch
Type: text/x-diff
Size: 1278 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20120418/0e72ef55/attachment.patch>
More information about the pkg-mozilla-maintainers
mailing list