[PATCH] Security hardening compiler and linker flags

David Jorm djorm at corp.iixpeering.net
Fri Mar 6 06:15:00 CET 2015 


On 03/06/2015 02:13 AM, Stefan Jakob wrote:
>
>
> David Jorm <djorm at corp.iixpeering.net 
> <mailto:djorm at corp.iixpeering.net>> schrieb am Mi., 04.03.2015, 8:54:
>
>
>     On 02/27/2015 08:55 PM, Marco d'Itri wrote:
>     > On Feb 27, David Jorm <djorm at corp.iixpeering.net
>     <mailto:djorm at corp.iixpeering.net>> wrote:
>     >
>     >> The attached patch adds security hardening compiler and linker
>     flags. These
>     >> flags are only applied if --enable-secflags is on, and I've made
>     >> --enable-secflags on by default. I totally understand if the
>     maintainers may
>     >> prefer for it to be off by default, at least initially.
>     > The warnings are OK, but while the hardening options actually
>     match what
>     > Debian uses, distributions tipically want to explicitly set them
>     > themselves using the defaults of their own build infrastructure
>     (because
>     > in the future they may want to do mass rebuilds with different
>     flags).
>     >
>
>     Thanks for the feedback, Marco. I was thinking that distributions
>     could
>     override these flags by setting --enable-secflags off if they
>     wanted to.
>     If that is insufficient, then I would have no problem re-spinning the
>     patch to set --enable-secflags off by default.
>
>
> +1
>
> Flags should be available but disabled by default at this state, imho, 
> ymmv
>
> Thx for the patch David!
>
> Rgds, Stefan
>

Thanks Stefan - a respun patch with enable-secflags disabled by default 
is attached.

David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20150306/673e799f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Added-optional-security-hardening-compiler-and-linker-flags.patch
Type: text/x-patch
Size: 2149 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20150306/673e799f/attachment.bin>

More information about the Bird-users mailing list