2548
Comment: Add link to dpkg 1.16.1 announce mail (instructions)
|
2794
|
Deletions are marked like this. | Additions are marked like this. |
Line 8: | Line 8: |
* [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=tag&data=goal-hardening&archive=no|Bugs tagged with "goal-hardening"]] | * [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=goal-hardening;users=hardening-discuss@lists.alioth.debian.org|Bugs tagged with "goal-hardening" (used for enhancements/enabling flags in pkgs]] * [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=hardening;users=debian-qa@lists.debian.org|Hardening-triggered bugs filed by Debian QA from enabling dpkg-buildflags]] |
Security Hardening Build Flags
Goal description
This goal is to update as many packages as possible to use security hardening build flags via dpkg-buildflags. These flags enable various protections against security issues such as stack smashing, predictable locations of values in memory, etc.
Current status
Bugs tagged with "goal-hardening" (used for enhancements/enabling flags in pkgs
Hardening-triggered bugs filed by Debian QA from enabling dpkg-buildflags
- Packages that should have build flags enabled before the wheezy release (packages in these lists are candidates for an NMU enabling the build flags):
All packages that have had a DSA issued in the last 5 years: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-dsa.txt?view=co
Packages of priority important or greater: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-important.txt?revision=17231&view=co
All daemons and libraries accessible from the network: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-daemons.txt?view=co
All interpreters written in C: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-interpreters.txt?view=co
- Need to get authorization that these changes are allowable in an NMU.
How to help
- Fix bugs tagged "goal-hardening".
- Modify the packages you maintain to use the hardened build flags.
Current instructions: http://lists.debian.org/debian-devel-announce/2011/09/msg00001.html (dpkg 1.16.1)
- Join the secure-testing team (to be able to update fixed package lists) and follow the mailing list:
Secure-testing introduction: http://anonscm.debian.org/viewvc/secure-testing/doc/narrative_introduction?view=co
Secure-testing mailing list: http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
- IRC Channel: #debian-security on OFTC
Relevant packages
- all packages
- all C/C++ packages
- all packages handling untrusted data (network daemons, web browsers, pdf viewers etc.)
Other Information
Debian Security Advisories: http://lists.debian.org/debian-security-announce/
Advocates
Kees Cook (kees@debian.org)
- Moritz Mühlenhoff
- Pierre Chifflier (pollux@debian org)
- Nico Golde
Volunteers
- Michael Gilbert (michael dot s dot gilbert at gmail dot com)
YvesAlexisPerez (corsac.debian.org)
- Thijs Kinkhorst
- bertagaz (bertagaz AT ptitcanardnoir.org)