[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ubuntu-devel
Subject:    hardened toolchain options via "hardening-wrapper"
From:       lars () canonical ! com (Lars Wirzenius)
Date:       2008-01-28 20:04:41
Message-ID: 1201550681.6737.107.camel () dorfl ! globalsuite ! net
[Download RAW message or body]

On ma, 2008-01-28 at 11:14 -0800, Kees Cook wrote:
> On Mon, Jan 28, 2008 at 07:40:35PM +0100, Tollef Fog Heen wrote:
> > * Kees Cook 
> > 
> > | - have a central place to control hardening compiler options
> > |   (implemented in the short-term as a compiler wrapper, and long-term
> > |   as a change to how packaging must respect compiler flags).
> > 
> > DEB_BUILD_OPTIONS + changing PATH so you have gcc wrapper which
> > mangles compiler flags sounds like a straightforward way of achieving
> > this?  (See how ccache does this, for instance)
> 
> I wanted to catch builds that called the compiler directly (e.g. as
> "/usr/bin/gcc-4.2" not just "gcc-4.2").

Builds doing that would seem to me to be buggy, precisely because they
prevent this kind of thing. Finding them and getting them fixed would be
a kindness on everyone.




[prev in list] [next in list] [prev in thread] [next in thread]