Compiling browser
Mike Hommey
mh at glandium.org
Fri Mar 25 15:44:08 UTC 2011
On Fri, Mar 25, 2011 at 04:08:28PM +0100, Peter Smith wrote:
> This is proberly the I want to compile Firefox 3.6 on Debian Squeeze
> and place everything in the /opt directory. I want the compiled
> browser to have some security modifications. The first thing i have
> added to mozconfig is the following three lines:
>
> export CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all"
> export CXXFLAGS="${CFLAGS}"
> export CPPFLAGS="${CFLAGS}
>
> This makes hardening-check on firefox-bin output the following:
>
> Position Independent Executable: no, normal executable!
> Stack protected: yes
> Fortify Source functions: yes
> Read-only relocations: no, not found!
> Immediate binding: no, not found!
>
> I don't know what flags should be passed to gcc for activating
> "Position Independent Executable", "Read-only relocations" and
> "Immediate binding" or if it is a good idea at all? Is it enough to
> activate the options i have to make the browser more secure?
I guess you want to take a look at http://wiki.debian.org/Hardening
> I have to choose between using the system libraries for nspr, nss,
> jpeg, zlib, bz2 and png like this:
>
> ac_add_options --with-system-nspr
> ac_add_options --with-system-nss
> ac_add_options --with-system-jpeg
> ac_add_options --with-system-zlib
> ac_add_options --with-system-bz2
> ac_add_options --with-system-png
>
> or using the code shipped with Firefox for the same functionality. So
> far i have not been able to build Firefox without using system nspr
> and nss, the Mozilla version of these will not compile on Debian. What
> is most secure, using the system libraries or the Mozilla libraries?
They are the same.
Mike
More information about the pkg-mozilla-maintainers
mailing list