Enable GCC hardening by default

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This was briefly discussed over on debian-devel. Would this something Fedora might want to do, too? 

-------- Original Message --------
Subject: Re: Bits from the Security Team
Resent-Date: Sat, 08 Mar 2014 18:24:06 +0100
Resent-From: Florian Weimer <fw@xxxxxxxxxxxxx>
Resent-To: fweimer@xxxxxxxxxx
Date: Fri, 7 Mar 2014 10:42:12 +0100
From: Moritz Muehlenhoff <jmm@xxxxxxxxxx>
To: Matthias Klose <doko@xxxxxxxxxx>
CC: Paul Wise <pabs@xxxxxxxxxx>, debian-devel@xxxxxxxxxxxxxxxx, security@xxxxxxxxxx 

On Thu, Mar 06, 2014 at 05:33:42AM +0100, Matthias Klose wrote:

Am 06.03.2014 02:00, schrieb Paul Wise:
>> * The distribution hardening using dpkg-buildflags is coming along
>>   nicely.
>
> Unfortunately this doesn't apply to binaries compiled outside of the
> package building system. It would be great if we could adopt the
> Ubuntu approach of just enabling the flags in GCC itself. Even better
> would be to get GCC upstream to finally enable them by default.

This should not be enabled in the distro itself, and if, then not before it can
be enabled upstream.  From my point of view it was a mistake to enable it this
way before getting this upstream.  However it is a lot of work to get the
compiler to build itself with these flags and the testsuite produce the same
results as without these.  In the past neither the Ubuntu security team nor the
Google ChromeOS team had time and resources to bring these patches upstream.


I agree we should stick with dpkg-buildflags until this is fixed upstream.
Gentoo Hardened tried to upstream this a year ago, but apparently this didn't make 
the cut yet:
http://gcc.gnu.org/ml/gcc-patches/2012-09/msg00473.html
As for the GSoC project; GCC partiticates, if anyone wants to push this, I suggest 
to talk to GCC developers and see whether there's a mentor available.

Cheers,
        Moritz


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx 
Archive: https://lists.debian.org/20140307094212.GA1695@xxxxxxxxxx




--
security mailing list
security@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/security
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Coolkey]

  Powered by Linux