On Thu, Jul 28, 2011 at 11:02:16PM +0200, Raphael Hertzog wrote: > On Thu, 28 Jul 2011, Kees Cook wrote: > > On Wed, Jul 27, 2011 at 11:56:39PM +0200, Raphael Hertzog wrote: > > > The current implementation in my branch is that PIE is disabled by defaut > > > but if you set DEB_BUILD_HARDENING_PIE=1 then it will be used. This was > > > easily done on top of the compatibility layer with > > > hardening-includes/hardening-wrapper but I'm not convinced it's an > > > interface we want to use for this transition. > > > > If someone chose to build-dep on hardening-wrapper/hardening-includes, they > > expect to have built PIE, so I think that the dpkg-buildflags default > > should likely depend on that in some way. > > Do you mean analyze the build-dep to automatically enable PIE? That > doesn't seem clean and I'd rather have maintainer make it explicit. > > If hardening-includes/hardening-wrapper is still used by that package, > does it really matter what dpkg-buildflags is returning?
Yeah, all true. I guess it should be in the docs that cover migration from h-i/h-w. Looking at the git branch, you've already handled the "and supported" option, so just "DEB_BUILD_HARDENING_PIE=1" is sufficient. -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
