Russ Allbery <r...@debian.org> schrieb: > Paul Wise <p...@debian.org> writes: > >> Personally I think this is completely the wrong approach to take for >> compiler hardening flags. The flags should be enabled by default in >> upstream GCC and disabled by upstream software where they result in >> problems. > > If we had followed that approach, we wouldn't have been able to use PIE, > since it breaks various programs if you enable it this way and isn't as > widely tested. But because we developed a generic framework to add and > remove hardening flags that the maintainer has control over and can easily > tweak for the needs of their packages, I was able to enable PIE on nearly > all of my packages and just omit it for those packages it broke. > > I think that clearly demonstrates the major advantages of having an > extensible framework that we can continue to adjust and modify going > forward.
Fully agreed. dpkg-buildflags also provides benefits outside of security hardening, e.g. by allowing to rebuild Debian packages or the whole archive with deviating build flags. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/slrnjl21tj.jlm....@inutil.org