Bug#609975: iceweasel: Please enable hardening options

bertagaz at ptitcanardnoir.org bertagaz at ptitcanardnoir.org
Tue Jan 18 19:59:50 UTC 2011


On Mon, Jan 17, 2011 at 09:05:31AM +0100, Mike Hommey wrote:
> On Fri, Jan 14, 2011 at 03:43:13PM +0100, bertagaz wrote:
> > Package: iceweasel
> > Version: 3.5.16-4
> > Severity: wishlist
> > User: debian-security at lists.debian.org
> > Usertags: hardening
> > 
> > Hi,
> > 
> > Iceweasel being a really sensitive application in the debian system,
> > having its package compiled with the hardening options seems really like a
> > good idea.
> > 
> > I did build a version with the hardening-wrapper that I'm using now since
> > quite some time, and it seems to work smoothly. So I guess this compile
> > time options could be included in the debian package.
> > 
> > To enable this feature, you only have to add the hardening-wrapper package
> > to the build-dep and export DEB_BUILD_HARDENING=1 in debian/rules. See
> > http://wiki.debian.org/Hardening for more informations on this topic.
> 
> I'm really not a big fan of -Wl,-z,relro and -Wl,-z,now

As said on its wiki page, you can deactivate features from the
hadening-wrapper by exporting variables at compile time.
Still RELRO and BINDNOW are usefull to protect an application. Do you
think they would slow too much iceweasel startup or hit its memory size?





More information about the pkg-mozilla-maintainers mailing list