On Fri, Mar 02, 2012 at 11:50:35AM +0100, Santiago Vila wrote: > On Sat, 31 Dec 2011, Moritz Muehlenhoff wrote: > > > Package: diffutils > > Version: 1:3.2-1 > > Severity: important > > Tags: patch > > > > Please enabled hardened build flags through dpkg-buildflags. > > > > Patch attached. (dpkg-buildflags abides "noopt" from DEB_BUILD_OPTIONS) > > Applied the patch and this is what hardening-check now tells me: > > /usr/bin/diff: > Position Independent Executable: no, normal executable! > Stack protected: yes > Fortify Source functions: yes (some protected functions found) > Read-only relocations: yes > Immediate binding: no not found! > > Thw wiki page, namely: > > http://wiki.debian.org/Hardening#Validation > > has a paragraph explaning "Stack protected" and another one explaining > "Fortify Source functions", but does not say anything about "Position > Independent Executable" or "Immediate binding". > > So: Am I doing anything wrong, or maybe the web page should also tell > something about cases where Position Independent Executable is "no" > but it's also ok? (resp. Immediate binding).
The output of hardening-check is correct for the default flags for Wheezy. Please see the section "Testing your packages after conversion" on the Hardening walkthrough page: http://wiki.debian.org/HardeningWalkthrough You can add PIE and bind by selecting all hardening flags as outlined in the walkthrough. For diffutils the performance should be identical. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
