hardened toolchain options via "hardening-wrapper"
Lars Wirzenius
lars at canonical.com
Mon Jan 28 20:04:41 GMT 2008
On ma, 2008-01-28 at 11:14 -0800, Kees Cook wrote:
> On Mon, Jan 28, 2008 at 07:40:35PM +0100, Tollef Fog Heen wrote:
> > * Kees Cook
> >
> > | - have a central place to control hardening compiler options
> > | (implemented in the short-term as a compiler wrapper, and long-term
> > | as a change to how packaging must respect compiler flags).
> >
> > DEB_BUILD_OPTIONS + changing PATH so you have gcc wrapper which
> > mangles compiler flags sounds like a straightforward way of achieving
> > this? (See how ccache does this, for instance)
>
> I wanted to catch builds that called the compiler directly (e.g. as
> "/usr/bin/gcc-4.2" not just "gcc-4.2").
Builds doing that would seem to me to be buggy, precisely because they
prevent this kind of thing. Finding them and getting them fixed would be
a kindness on everyone.
More information about the ubuntu-devel
mailing list