On Mon, Jan 17, 2011 at 09:05:31AM +0100, Mike Hommey wrote: > On Fri, Jan 14, 2011 at 03:43:13PM +0100, bertagaz wrote: > > Package: iceweasel > > Version: 3.5.16-4 > > Severity: wishlist > > User: [email protected] > > Usertags: hardening > > > > Hi, > > > > Iceweasel being a really sensitive application in the debian system, > > having its package compiled with the hardening options seems really like a > > good idea. > > > > I did build a version with the hardening-wrapper that I'm using now since > > quite some time, and it seems to work smoothly. So I guess this compile > > time options could be included in the debian package. > > > > To enable this feature, you only have to add the hardening-wrapper package > > to the build-dep and export DEB_BUILD_HARDENING=1 in debian/rules. See > > http://wiki.debian.org/Hardening for more informations on this topic. > > I'm really not a big fan of -Wl,-z,relro and -Wl,-z,now
As said on its wiki page, you can deactivate features from the hadening-wrapper by exporting variables at compile time. Still RELRO and BINDNOW are usefull to protect an application. Do you think they would slow too much iceweasel startup or hit its memory size? -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
