hardened toolchain options via "hardening-wrapper"
Tollef Fog Heen
tfheen at canonical.com
Mon Jan 28 18:40:35 GMT 2008
* Kees Cook
| - have a central place to control hardening compiler options
| (implemented in the short-term as a compiler wrapper, and long-term
| as a change to how packaging must respect compiler flags).
DEB_BUILD_OPTIONS + changing PATH so you have gcc wrapper which
mangles compiler flags sounds like a straightforward way of achieving
this? (See how ccache does this, for instance)
| - must be able to use compilers normally when hardening-wrapper is
| installed (i.e. must enable via a env variable).
DEB_BUILD_OPTIONS is an environment variable.
| - dpkg-buildpackage in Hardy+1 should enable DEB_BUILD_HARDENING=1 when
| hardening-wrapper is installed. (Allowing for "misbehaving" packages
| to disable all or part of the hardening in the debian/rules file via
| various env vars.)
I'm not really understanding the rationale for DEB_BUILD_HARDENING (as
in, why is it a separate environment variable?); it's not in the spec.
Could you either update the spec or write something about it here?
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
More information about the ubuntu-devel
mailing list