I'm fine with our ipxe packages using strictly the flags that the iPXE team wants.
Our CFLAGS mangling is intended to broadly raise the security mitigations applied to all our software and software that is built on Ubuntu. Different packages will handle the mitigations better than others, and certainly the pre-boot environment that iPXE inhabits will have a different set of requirements than most of the software we ship, and it sounds like the iPXE team has strong opinions on the appropriate flags to use, probably grown from experience debugging problems in an environment that's very challenging to debug. It's worth deferring to their expertise here, not least because we may be causing them additional support burdens through our choices. If they haven't reviewed the available security mitigations flags lately, I'd like to encourage them (or anyone, really) to read through https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options- Hardening-Guide-for-C-and-C++ for a good overview of the options available. These mitigations really are useful, and I frequently hear from pen-testers that they are an actual impediment to exploit authors, and the pre-boot environment also feels like it would benefit from their help. But I don't know which ones are appropriate and which ones are not. Thanks so much for raising the question. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2121439 Title: Disable custom CFLAGS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ipxe/+bug/2121439/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
