[hardening-discuss] Bug#489771: support for centralized control over hardening-wrapper options

[Raphael Hertzog]

On Mon, 07 Jul 2008, Kees Cook wrote:
> This is a patch that add support for the "hardening-wrapper" package's
> set of build flags, in the hopes of merging hardening-wrapper's
> functionality into dpkg-buildpackage at some point in the future.

Thanks for the patch, but I really dislike the complexity of this whole
setup.

Why couldn't hardening-wrapper use directly the hardening/no-hardening
options from DEB_BUILD_OPTIONS instead of requiring a complete set of 
specific environment variables?

I don't want to have to modify dpkg-buildpackage, I'd rather rely on some
new infrastructure to handle build options that I'm currently working on.

In the end, I would like that:
- maintainers can opt-in/opt-out from building hardened binaries with the
  new Build-Options field in debian/control (same syntax than
  DEB_BUILD_OPTIONS with "hardening", "hardening=no<X>,no<Y>" or
  "no-hardening").
- the builder can override the maintainer choice by setting one of these
  flags in DEB_BUILD_OPTIONS
- the build environment always inherits any hardening options from
  debian/control into DEB_BUILD_OPTIONS (if not overriden)

dpkg-buildpackage would be modified to use a modified Dpkg::BuildOptions
that would do this "intelligent option forwarding" but that's all.

How does that sound to you?

Note that I'm not opposed to have dpkg-buildpackage enable hardening
by default in the future (by auto-setting the option unless instructed
otherwise by Build-Option: / DEB_BUILD_OPTIONS). For now, I just
want to not bloat dpkg-buildpackage with too much specific code like this
one and want to integrate this change in a more generic framework.

Cheers,
-- 
Raphaël Hertzog

Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/