On Mon, Oct 20, 2025 at 08:24:46AM +0300, jasem masry wrote:
I want to secure debian against vulnerabilities exploitation and I know that I should use compiler flags but the problem is there are many apps on the system should I compiling its app by app or there are a practical solution for that I want urls to articles on the web for the solution to save your time
Consider whether this is a good use of your time in the first place. Modern versions of Debian already apply a number of hardening options via compiler flags (see the output of "dpkg-buildflags", if you have the dpkg-dev package installed). If you were to find additional strategies that were generally applicable across the whole distribution, then those would likely be things we'd want to enable in Debian; but a lot of people have already spent a lot of time on this in Debian, and if you're coming to it from scratch without prior experience, it would probably take quite some time before you found viable approaches that they didn't.
Unless you were to put a great deal of complex automation in place, I think it's likely that attempting to recompile everything with different compiler options would lose you more effective security (due to being slower to apply updates) than you'd gain.
In practical terms, your time is probably better spent on other approaches. https://wiki.debian.org/SecurityManagement has some ideas and useful links.
-- Colin Watson (he/him) [[email protected]]
