~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: English - [[ja/ReleaseGoals/SecurityHardeningBuildFlags|日本語]] -~ = Security Hardening Build Flags = == Goal description == This goal is to update as many packages as possible to use security hardening build flags via dpkg-buildflags. These flags enable various protections against security issues such as stack smashing, predictable locations of values in memory, etc. == Current status == * [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=goal-hardening;users=hardening-discuss@lists.alioth.debian.org|Bugs tagged with "goal-hardening" (used for enhancements/enabling flags in pkgs)]] * [[http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=hardening;users=debian-qa@lists.debian.org|Hardening-triggered bugs filed by Debian QA from enabling dpkg-buildflags]] * Packages that should have build flags enabled before the wheezy release (packages in these lists are candidates for an NMU enabling the build flags): * All packages that have had a DSA issued in the last 5 years: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-dsa.txt?view=co * Packages of priority important or greater: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-important.txt?view=co * All daemons and libraries accessible from the network: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-daemons.txt?view=co * All interpreters written in C: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-interpreters.txt?view=co * Need to get authorization that these changes are allowable in an NMU. * [[http://outflux.net/debian/hardening/|Graph of progress]] == How to help == * Fix bugs tagged "goal-hardening". * [[Hardening|Modify]] the packages you maintain to use the hardened build flags. * Current instructions: [[HardeningWalkthrough]] * Join the secure-testing team (to be able to update fixed package lists) and follow the mailing list: * Secure-testing introduction: http://anonscm.debian.org/viewvc/secure-testing/doc/narrative_introduction?view=co * Join the hardening-discuss list: http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/hardening-discuss * [[IRC]] Channel: [[irc://irc.debian.org/debian-security|#debian-security]] on OFTC == Relevant packages == * all packages * all C/C++ packages * all packages handling untrusted data (network daemons, web browsers, pdf viewers etc.) == Other Information == * Debian Security Advisories: http://lists.debian.org/debian-security-announce/ == Advocates == * Kees Cook (kees@debian.org) * Moritz Mühlenhoff (jmm@debian.org) * Pierre Chifflier (pollux@debian.org) * Nico Golde (nion@debian.org) * Andreas Kuckartz (a.kuckartz@ping.de) == Volunteers == * Michael Gilbert (michael dot s dot gilbert at gmail dot com) * YvesAlexisPerez (corsac.debian.org) * Thijs Kinkhorst * bertagaz (bertagaz AT ptitcanardnoir.org)