On Saturday, March 30, 2013 08:54:30 AM Dhiru Kholia wrote: > On Fri, Mar 29, 2013 at 10:43 PM, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > > On Fri, Mar 29, 2013 at 10:08:37PM +0530, Dhiru Kholia wrote: > > > 1. Hardening flags should be turned on (by default) for all packages > > > which are at comparatively more risk of being exploited or which meet > > > some well-defined criteria (suggestions welcome). > > > > Is there somewhere which describes what to do / what flags to enable? > > http://wiki.debian.org/Hardening describes the various hardening flags. > > "_hardened_build" rpm spec macro can be used to harden a package. > > For an example, see > http://pkgs.fedoraproject.org/cgit/clamav.git/tree/clamav.spec This flag is overly aggressive. We have a list of programs that need PIE enabled and doing more isn't necessarily constructive. What would be nice is if the autotools got some macros to detect PIE and RELRO support in gcc so that its easy to add to CFLAGS and LDFLAGS so that it can be applied more precisely. -Steve -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
