hardened toolchain options via "hardening-wrapper"
Kees Cook
kees at ubuntu.com
Mon Jan 28 18:06:49 GMT 2008
On Thu, Jan 24, 2008 at 02:27:57PM +0100, Tollef Fog Heen wrote:
> * Kees Cook
> | To perform package builds with the options enabled, a developer needs
> | to do two things:
> | - install hardening-wrapper (surprise!)
> | - set the environment variable DEB_BUILD_HARDENING=1
>
> Any reason why this isn't just «add 'harden' to DEB_BUILD_OPTIONS»?
> We already have a standard mechanism for twiddling builds and
> supporting that would make sense.
The idea was to try to make the wrapper and the build system somewhat
independent. I should probably have used an env namespace that didn't
start with DEB_BUILD to avoid confusion.
I'm happy to change behavior in whatever ways make sense. From UDS, the
requirements were:
- have a central place to control hardening compiler options
(implemented in the short-term as a compiler wrapper, and long-term
as a change to how packaging must respect compiler flags).
- must be able to use compilers normally when hardening-wrapper is
installed (i.e. must enable via a env variable).
- dpkg-buildpackage in Hardy+1 should enable DEB_BUILD_HARDENING=1 when
hardening-wrapper is installed. (Allowing for "misbehaving" packages
to disable all or part of the hardening in the debian/rules file via
various env vars.)
We could certainly add "DEB_BUILD_OPTIONS=harden" knowledge to
dpkg-buildpackage (enforce hardening-wrapper be installed, set
DEB_BUILD_HARDENING=1). What do people think of this approach?
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-devel
mailing list