hardened toolchain options via "hardening-wrapper"

Kees Cook kees at ubuntu.com
Mon Jan 28 18:06:49 GMT 2008

On Thu, Jan 24, 2008 at 02:27:57PM +0100, Tollef Fog Heen wrote:
> * Kees Cook 
> | To perform package builds with the options enabled, a developer needs
> | to do two things:
> | - install hardening-wrapper (surprise!)
> | - set the environment variable DEB_BUILD_HARDENING=1
> Any reason why this isn't just «add 'harden' to DEB_BUILD_OPTIONS»?
> We already have a standard mechanism for twiddling builds and
> supporting that would make sense.

The idea was to try to make the wrapper and the build system somewhat
independent.  I should probably have used an env namespace that didn't
start with DEB_BUILD to avoid confusion.

I'm happy to change behavior in whatever ways make sense.  From UDS, the
requirements were:

- have a central place to control hardening compiler options
  (implemented in the short-term as a compiler wrapper, and long-term
  as a change to how packaging must respect compiler flags).
- must be able to use compilers normally when hardening-wrapper is
  installed (i.e. must enable via a env variable).
- dpkg-buildpackage in Hardy+1 should enable DEB_BUILD_HARDENING=1 when
  hardening-wrapper is installed.  (Allowing for "misbehaving" packages
  to disable all or part of the hardening in the debian/rules file via
  various env vars.)

We could certainly add "DEB_BUILD_OPTIONS=harden" knowledge to
dpkg-buildpackage (enforce hardening-wrapper be installed, set
DEB_BUILD_HARDENING=1).  What do people think of this approach?


Kees Cook
Ubuntu Security Team

More information about the ubuntu-devel mailing list