[hardening-discuss] Bug#489771: support for centralized control over hardening-wrapper options
Kees Cook
kees at outflux.net
Mon Jul 28 18:39:31 UTC 2008
On Tue, Jul 22, 2008 at 09:08:33AM +0200, Raphael Hertzog wrote:
> Why do we need a migration path and not a direct migration ? Since
> hardening-wrapper does nothing without environment variables and since
> dpkg-buildpackage already provides default values to compiler flags...
> what would be the required intermediary step between: "hardening-wrapper
> does the job" and "dpkg-buildpackage does the job" ?
Yeah, you're right -- I can't think of a good reason to do this
migration inside dpkg-buildpackage.
> I haven't thought about this yet. As you noticed, the framework I was
> referring to was more for controlling DEB_BUILD_OPTIONS than for
> controlling CFLAGS & all.
>
> But, if someones comes up with a sensible design for such a framework,
> I'm happy to give it a try. But I'm not sure if it would add any value
> compared to some hardcoded rules to generate the compiler flags.
I will find some time to talk to doko about this, and see what we can
come up with. The goal here is to do away with the whole
hardening-wrapper package, and have all the flag knowledge triggered via
DEB_BUILD_OPTIONS and dpkg-buildpackage.
Thanks!
-Kees
--
Kees Cook @outflux.net
More information about the hardening-discuss
mailing list