On Mon, 07 Jul 2008, Kees Cook wrote: > This is a patch that add support for the "hardening-wrapper" package's > set of build flags, in the hopes of merging hardening-wrapper's > functionality into dpkg-buildpackage at some point in the future.
Thanks for the patch, but I really dislike the complexity of this whole setup. Why couldn't hardening-wrapper use directly the hardening/no-hardening options from DEB_BUILD_OPTIONS instead of requiring a complete set of specific environment variables? I don't want to have to modify dpkg-buildpackage, I'd rather rely on some new infrastructure to handle build options that I'm currently working on. In the end, I would like that: - maintainers can opt-in/opt-out from building hardened binaries with the new Build-Options field in debian/control (same syntax than DEB_BUILD_OPTIONS with "hardening", "hardening=no<X>,no<Y>" or "no-hardening"). - the builder can override the maintainer choice by setting one of these flags in DEB_BUILD_OPTIONS - the build environment always inherits any hardening options from debian/control into DEB_BUILD_OPTIONS (if not overriden) dpkg-buildpackage would be modified to use a modified Dpkg::BuildOptions that would do this "intelligent option forwarding" but that's all. How does that sound to you? Note that I'm not opposed to have dpkg-buildpackage enable hardening by default in the future (by auto-setting the option unless instructed otherwise by Build-Option: / DEB_BUILD_OPTIONS). For now, I just want to not bloat dpkg-buildpackage with too much specific code like this one and want to integrate this change in a more generic framework. Cheers, -- Raphaël Hertzog Le best-seller français mis à jour pour Debian Etch : http://www.ouaza.com/livre/admin-debian/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
