hardened toolchain options via "hardening-wrapper"

Tollef Fog Heen tfheen at canonical.com
Mon Jan 28 18:40:35 GMT 2008

* Kees Cook 

| - have a central place to control hardening compiler options
|   (implemented in the short-term as a compiler wrapper, and long-term
|   as a change to how packaging must respect compiler flags).

DEB_BUILD_OPTIONS + changing PATH so you have gcc wrapper which
mangles compiler flags sounds like a straightforward way of achieving
this?  (See how ccache does this, for instance)

| - must be able to use compilers normally when hardening-wrapper is
|   installed (i.e. must enable via a env variable).

DEB_BUILD_OPTIONS is an environment variable.

| - dpkg-buildpackage in Hardy+1 should enable DEB_BUILD_HARDENING=1 when
|   hardening-wrapper is installed.  (Allowing for "misbehaving" packages
|   to disable all or part of the hardening in the debian/rules file via
|   various env vars.)

I'm not really understanding the rationale for DEB_BUILD_HARDENING (as
in, why is it a separate environment variable?); it's not in the spec.
Could you either update the spec or write something about it here?

Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

More information about the ubuntu-devel mailing list