Security Hardening Build Flags
Goal description
This goal is to update as many packages as possible to use security hardening build flags via dpkg-buildflags. These flags enable various protections against security issues such as stack smashing, predictable locations of values in memory, etc.
Current status
- Need to make a list of highest priority packages.
- Need to get authorization that these changes are allowable in an NMU.
How to help
- Modify the packages you maintain to use the hardened build flags.
Current instructions: http://lists.debian.org/debian-devel/2011/09/msg00065.html (TODO: replace with d-d-a mail announcing dpkg 1.16.1 as soon as available)
Candidate Packages for NMUs Enabling Hardened Build Flags
- Any package that has had a DSA (Debian Security Announcement) issued within the past five years.
All packages with priority >= standard.
Relevant packages
- all packages
- all C/C++ packages
- all packages handling untrusted data (network daemons, web browsers, pdf viewers etc.)
Other Information
Debian Security Advisories: http://lists.debian.org/debian-security-announce/
Advocates
- Needed.
Volunteers
- Michael Gilbert (michael dot s dot gilbert at gmail dot com)
YvesAlexisPerez (corsac.debian.org)