Bug#653191: Please enable hardened build flags through dpkg-buildpackage

Mike Hommey mh at glandium.org
Sun Jan 1 09:59:28 UTC 2012


On Sat, Dec 31, 2011 at 03:20:27PM +0100, Moritz Mühlenhoff wrote:
> On Mon, Dec 26, 2011 at 08:43:18AM +0100, Mike Hommey wrote:
> > On Sat, Dec 24, 2011 at 11:40:02PM +0100, Moritz Muehlenhoff wrote:
> > > Package: iceweasel
> > > Version: 9.0.1-1
> > > Severity: wishlist
> > > 
> > > Please source the hardened build flags from dpkg-buildflags for
> > > CPPFLAGS, CXXFLAGS and LDFLAGS for the iceweasel build.
> > 
> > FWIW, dpkg-buildflags is extremely unuseful for that, because it mixes
> > hardening flags with other flags.
> 
> Is that because you use a different optimization level other than
> O2? 
> 
> I've noticed that issue with a couple of packages, so I'm considering to
> submit a patch for dpkg-buildflags, but I'd like to know if you see
> different issues?

Yeah basically I like that the old way of doing hardening didn't mess
with other flags. Though I'm not sure I like that there's not much of a
fine grained tuning. For instance, I'm not sure -z relro buys anything
worth, while it may have a significant startup performance impact on big
applications. (and if I'm not mistaken, -z relro actually makes things
not work with selinux, seeing how selinux already breaks the mprotect
that removes the write bit on code sections after text relocations)

Mike





More information about the pkg-mozilla-maintainers mailing list