Hi there, I'm trying to compile a large number of Debian packages with particular compiler flags. This is to test out a new security hardening feature, similar to adding e.g. -fstack-protector-strong (https://wiki.debian.org/Hardening), but the catch is that I need to compile all dependencies of a package with the same flags. Previously, I compiled all dependencies manually, but now I'm trying to test the hardening feature on a wide range of packages and open it up for testing by other users too. Ideally, I'd have a build bot (or many bots) which would keep up with Debian stable, compiling a subset of all packages, and then I'd serve the results as an apt-compatible repository.
It seems like the easiest way to set this up would be to run a separate wanna-build instance, with a few machines running my own buildd with an appropriately-configured sbuild (which adds the compiler flags I want). Right now, the compiler flags I want are available in mainline GCC so configuring sbuild should be straightforward. I tried to set up sbuild on a clean jessie machine, but it hangs; I tried to follow the setup instructions for wanna-build (https://wiki.debian.org/DebianWannaBuildInfrastructureOnOneServer), but ran into multiple configuration issues. Is there any easier way to do what I am proposing, or does anyone have pointers for setting up a wanna-build instance that runs in parallel with Debian's, building the same packages but delegating to buildd's that use different compiler flags? The security feature I'm testing is continuous layout randomization, essentially ASLR done every few tens of milliseconds, rearranging the code of a program as it runs. Obviously this is a challenging task and it needs to be tested on more than the handful of programs I've run so far. The majority of the task is handled by my own code but it needs some additional meta-information from the compiler to work correctly (it needs symbols and relocations), hence the need to recompile packages. I believe that having this infrastructure in place would allow researchers to test new security features more easily, and allow users to get access to them sooner. Certainly if my build setup works I'll leave it running so that people can access the .debs as needed. Please let me know if you have any questions or suggestions. Thanks, David
