[hardening-discuss] Bug#489771: support for centralized control over hardening-wrapper options

[Kees Cook]

Hi Raphael,

On Mon, Jul 07, 2008 at 11:32:16PM +0200, Raphael Hertzog wrote:
> On Mon, 07 Jul 2008, Kees Cook wrote:
> > This is a patch that add support for the "hardening-wrapper" package's
> > set of build flags, in the hopes of merging hardening-wrapper's
> > functionality into dpkg-buildpackage at some point in the future.
> 
> Thanks for the patch, but I really dislike the complexity of this whole
> setup.
> 
> Why couldn't hardening-wrapper use directly the hardening/no-hardening
> options from DEB_BUILD_OPTIONS instead of requiring a complete set of 
> specific environment variables?

Well, the original goal was to move the hardening option knowledge out
of hardening-wrapper and into dpkg-buildpackage, so this was designed to
be a migration path.

Since dpkg-buildpackage is setting the default compiler flags (-g -Wall,
etc), this seemed like a sensible place for the other distro-wide flags
to go live so we can get rid of the crazy hack that is
hardening-wrapper.  :)

> dpkg-buildpackage would be modified to use a modified Dpkg::BuildOptions
> that would do this "intelligent option forwarding" but that's all.
> 
> How does that sound to you?
> 
> Note that I'm not opposed to have dpkg-buildpackage enable hardening
> by default in the future (by auto-setting the option unless instructed
> otherwise by Build-Option: / DEB_BUILD_OPTIONS). For now, I just
> want to not bloat dpkg-buildpackage with too much specific code like this
> one and want to integrate this change in a more generic framework.

Sure, I can certainly understand that.  Will there be a framework that a
compiler flag default option system can be plugged into?

Thanks,

-Kees

-- 
Kees Cook                                            @outflux.net