[hardening-discuss] Bug#489771: support for centralized control over hardening-wrapper options
Raphael Hertzog
hertzog at debian.org
Mon Jul 7 21:32:16 UTC 2008
On Mon, 07 Jul 2008, Kees Cook wrote:
> This is a patch that add support for the "hardening-wrapper" package's
> set of build flags, in the hopes of merging hardening-wrapper's
> functionality into dpkg-buildpackage at some point in the future.
Thanks for the patch, but I really dislike the complexity of this whole
setup.
Why couldn't hardening-wrapper use directly the hardening/no-hardening
options from DEB_BUILD_OPTIONS instead of requiring a complete set of
specific environment variables?
I don't want to have to modify dpkg-buildpackage, I'd rather rely on some
new infrastructure to handle build options that I'm currently working on.
In the end, I would like that:
- maintainers can opt-in/opt-out from building hardened binaries with the
new Build-Options field in debian/control (same syntax than
DEB_BUILD_OPTIONS with "hardening", "hardening=no<X>,no<Y>" or
"no-hardening").
- the builder can override the maintainer choice by setting one of these
flags in DEB_BUILD_OPTIONS
- the build environment always inherits any hardening options from
debian/control into DEB_BUILD_OPTIONS (if not overriden)
dpkg-buildpackage would be modified to use a modified Dpkg::BuildOptions
that would do this "intelligent option forwarding" but that's all.
How does that sound to you?
Note that I'm not opposed to have dpkg-buildpackage enable hardening
by default in the future (by auto-setting the option unless instructed
otherwise by Build-Option: / DEB_BUILD_OPTIONS). For now, I just
want to not bloat dpkg-buildpackage with too much specific code like this
one and want to integrate this change in a more generic framework.
Cheers,
--
Raphaël Hertzog
Le best-seller français mis à jour pour Debian Etch :
http://www.ouaza.com/livre/admin-debian/
More information about the hardening-discuss
mailing list