[hardening-discuss] Bug#489771: support for centralized control over hardening-wrapper options

[Kees Cook]

On Tue, Jul 22, 2008 at 09:08:33AM +0200, Raphael Hertzog wrote:
> Why do we need a migration path and not a direct migration ? Since
> hardening-wrapper does nothing without environment variables and since
> dpkg-buildpackage already provides default values to compiler flags...
> what would be the required intermediary step between: "hardening-wrapper
> does the job" and "dpkg-buildpackage does the job" ?

Yeah, you're right -- I can't think of a good reason to do this
migration inside dpkg-buildpackage.

> I haven't thought about this yet. As you noticed, the framework I was
> referring to was more for controlling DEB_BUILD_OPTIONS than for
> controlling CFLAGS & all.
> 
> But, if someones comes up with a sensible design for such a framework,
> I'm happy to give it a try. But I'm not sure if it would add any value
> compared to some hardcoded rules to generate the compiler flags.

I will find some time to talk to doko about this, and see what we can
come up with.  The goal here is to do away with the whole
hardening-wrapper package, and have all the flag knowledge triggered via
DEB_BUILD_OPTIONS and dpkg-buildpackage.

Thanks!

-Kees

-- 
Kees Cook                                            @outflux.net