On 03/06/2015 02:13 AM, Stefan Jakob wrote:
David Jorm <djorm@corp.iixpeering.net <mailto:djorm@corp.iixpeering.net>> schrieb am Mi., 04.03.2015, 8:54:
On 02/27/2015 08:55 PM, Marco d'Itri wrote: > On Feb 27, David Jorm <djorm@corp.iixpeering.net <mailto:djorm@corp.iixpeering.net>> wrote: > >> The attached patch adds security hardening compiler and linker flags. These >> flags are only applied if --enable-secflags is on, and I've made >> --enable-secflags on by default. I totally understand if the maintainers may >> prefer for it to be off by default, at least initially. > The warnings are OK, but while the hardening options actually match what > Debian uses, distributions tipically want to explicitly set them > themselves using the defaults of their own build infrastructure (because > in the future they may want to do mass rebuilds with different flags). >
Thanks for the feedback, Marco. I was thinking that distributions could override these flags by setting --enable-secflags off if they wanted to. If that is insufficient, then I would have no problem re-spinning the patch to set --enable-secflags off by default.
+1
Flags should be available but disabled by default at this state, imho, ymmv
Thx for the patch David!
Rgds, Stefan
Thanks Stefan - a respun patch with enable-secflags disabled by default is attached. David