Translation(s): English - 日本語
Security Hardening Build Flags
Goal description
This goal is to update as many packages as possible to use security hardening build flags via dpkg-buildflags. These flags enable various protections against security issues such as stack smashing, predictable locations of values in memory, etc.
Current status
Bugs tagged with "goal-hardening" (used for enhancements/enabling flags in pkgs)
Hardening-triggered bugs filed by Debian QA from enabling dpkg-buildflags
- Packages that should have build flags enabled before the wheezy release (packages in these lists are candidates for an NMU enabling the build flags):
All packages that have had a DSA issued in the last 5 years: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-dsa.txt?view=co
Packages of priority important or greater: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-important.txt?view=co
All daemons and libraries accessible from the network: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-daemons.txt?view=co
All interpreters written in C: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-interpreters.txt?view=co
- Need to get authorization that these changes are allowable in an NMU.
How to help
- Fix bugs tagged "goal-hardening".
Modify the packages you maintain to use the hardened build flags.
Current instructions: HardeningWalkthrough
- Join the secure-testing team (to be able to update fixed package lists) and follow the mailing list:
Secure-testing introduction: http://anonscm.debian.org/viewvc/secure-testing/doc/narrative_introduction?view=co
Join the hardening-discuss list: http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/hardening-discuss
IRC Channel: #debian-security on OFTC
Relevant packages
- all packages
- all C/C++ packages
- all packages handling untrusted data (network daemons, web browsers, pdf viewers etc.)
Other Information
Debian Security Advisories: http://lists.debian.org/debian-security-announce/
Advocates
Kees Cook (kees@debian.org)
Moritz Mühlenhoff (jmm@debian.org)
Pierre Chifflier (pollux@debian.org)
Nico Golde (nion@debian.org)
Andreas Kuckartz (a.kuckartz@ping.de)
Volunteers
- Michael Gilbert (michael dot s dot gilbert at gmail dot com)
YvesAlexisPerez (corsac.debian.org)
- Thijs Kinkhorst
- bertagaz (bertagaz AT ptitcanardnoir.org)