Security Hardening Build Flags
Goal description
This goal is to update as many packages as possible to use security hardening build flags via dpkg-buildflags. These flags enable various protections against security issues such as stack smashing, predictable locations of values in memory, etc.
Current status
- Packages that should have build flags enabled before the wheezy release (packages in these lists are candidates for an NMU enabling the build flags):
All packages that have had a DSA issued in the last 5 years: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-dsa.txt?view=co
Packages of priority important or greater: http://anonscm.debian.org/viewvc/secure-testing/hardening/subgoal-important.txt?revision=17231&view=co
- Need to get authorization that these changes are allowable in an NMU.
How to help
- Modify the packages you maintain to use the hardened build flags.
Current instructions: http://lists.debian.org/debian-devel/2011/09/msg00065.html (TODO: replace with d-d-a mail announcing dpkg 1.16.1 as soon as available)
- Join the secure-testing team (to be able to update fixed package lists) and follow the mailing list:
Secure-testing introduction: http://anonscm.debian.org/viewvc/secure-testing/doc/narrative_introduction?view=co
Secure-testing mailing list: http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
- IRC Channel: #debian-security on OFTC
Relevant packages
- all packages
- all C/C++ packages
- all packages handling untrusted data (network daemons, web browsers, pdf viewers etc.)
Other Information
Debian Security Advisories: http://lists.debian.org/debian-security-announce/
Advocates
Kees Cook (kees@debian.org)
- Moritz Mühlenhoff
Volunteers
- Michael Gilbert (michael dot s dot gilbert at gmail dot com)
YvesAlexisPerez (corsac.debian.org)
- Thijs Kinkhorst