[hardening-discuss] Bug#823869: please set build flags to expicit values, don't assume defaults
Guillem Jover
guillem at debian.org
Tue May 10 08:47:15 UTC 2016
Hi!
On Mon, 2016-05-09 at 21:47:09 +0200, Matthias Klose wrote:
> Package: dpkg,hardening-wrapper
>
> With GCC 6 (and backported to GCC 5), GCC can be configured with
> --enable-default-pie. DEB_BUILD_*OPTIONS allows explicit disabling of some
> features, however with changed defaults, all these settings are a no-op.
> Therefore please don't assume any defaults settings, but set these flags
> explicitly.
All current settings for the Debian vendor assume both the current
default compiler (gcc) its version (5) and the supported flags per
arch. Whoever decides to change the default, say to use clang, or a
newer or older version of gcc, with different build flags, ABI, etc
are on their own, and should either add a new vendor module, set those
flags globally in the system config, or similar. Because dpkg cannot
ever support any combination the user might decide to use, so it's up
to them.
> But also consider explicitly adding -O0 to C*FLAGS when noopt is passed.
This is already the case, because it was mandated by policy.
> For this example, when seeing -pie, add -fno-PIE to C*FLAGS, -no-pie to
> LDFLAGS.
> This should apply to any feature are settable by DEB_BUILD_*OPTIONS.
Because this has the potential to break existing builds as it changes
all existing default flags, even when not setting DEB_BUILD_OPTIONS, it
diverges from the above mentioned dpkg policy and it would be a bit of
a mess, I'm not planning on implementing it. So I'll be probably closing
as wontfix in a bit.
Thanks,
Guillem
More information about the hardening-discuss
mailing list