hardening-wrapper_1.28~bpo50+1_amd64.changes is NEW
(new) hardening-includes_1.28~bpo50+1_all.deb extra devel
Makefile for enabling compiler flags for security hardening
Makefile to be included in Debian rules files. CFLAGS and LDFLAGS
can be extended to include the respective HARDENING_* variables which
contain architecture-validated security hardening compiler options.
(new) hardening-wrapper_1.28~bpo50+1.dsc extra devel
(new) hardening-wrapper_1.28~bpo50+1.tar.gz extra devel
(new) hardening-wrapper_1.28~bpo50+1_amd64.deb extra devel
Compiler wrapper to enable security hardening flags
Replaces gcc, g++, and ld with wrapper scripts that set security hardening
compilation flags, as an alternative to changing gcc specs. Enabled when
DEB_BUILD_HARDENING=1 is set.
Changes: hardening-wrapper (1.28~bpo50+1) lenny-backports; urgency=low
.
* Non-maintaner upload for backports.org
* Backport for Lenny Archive.
.
hardening-wrapper (1.28) unstable; urgency=low
.
* hardening.make: enable PIE on hurd (Closes: 586215), thanks to
Samuel Thibault.
.
hardening-wrapper (1.27) unstable; urgency=low
.
* hardening.make:
- disable RELRO on avr32.
- clarify use of CXXFLAGS.
* hardening-check: fix regex to correctly call sed (Closes: 578488).
.
hardening-wrapper (1.26) unstable; urgency=low
.
* hardening.make: disable PIE on avr32 (Closes: 574716).
.
hardening-wrapper (1.25) unstable; urgency=low
.
* debian/control:
- bump standards version: no changes needed.
- should not be considered "experimental".
* hardening-check: use readelf's "-s" instead of "-r" to avoid issues
with archs that lack sane relocations.
* tests/Makefile.common:
- adjust tests to include -s output.
- weaken nm symbol matching.
.
hardening-wrapper (1.24) unstable; urgency=low
.
* hardening-check: handle alternate names for relocation jump slots
(Closes: 568622)
* tests/Makefile.common: show relocations as well for future debugging.
.
hardening-wrapper (1.23) unstable; urgency=low
.
* hardening.make: correctly document how to disable PIE on a per-target
basis (Closes: 567707).
* tests/Makefile.{common,includes}: add HARDENING_DISABLE_* flags tests.
.
hardening-wrapper (1.22) unstable; urgency=low
.
* debian/hardening-wrapper.postrm: fix typo in diversion name
(Closes: 564840).
.
hardening-wrapper (1.21) unstable; urgency=low
.
* debian/control: add ${misc:Depends} to control file entries to
keep lintian happy.
* hardening-check: add -q option to only report failures.
* really handle gcc 4.5 diversion (Closes: 564596).
* handle ld diversion when binutils-gold installed (Closes: 535037).
.
hardening-wrapper (1.20) unstable; urgency=low
.
* hardening.make:
- switch to "filter" for easier to read logic.
- allow PIE for arm/armel, since it's only the kernel that lacks ASLR.
* tests/Makefile: perform test builds with -fstack-protector and -fPIE -pie
on all architectures just to have a record of the success/failure
in the build logs, even if we are manually selecting the defaults.
.
hardening-wrapper (1.19) unstable; urgency=low
.
* debian/rules: fix up arch/arch-indep rules to avoid rebuilding
arch-indep bits repeatedly.
* hardening-check, debian/{rules,hardening-includes.manpages},
tests/Makefile.common: add helper utility to allow users of
hardening-includes to evaluate the state of a given binary's
resulting hardening features.
* debian/rules: add gcc-4.5 to the diversion list.
.
hardening-wrapper (1.18) unstable; urgency=low
.
* debian/{control,rules}: add "hardening-includes" for use in other
Debian rules files.
* debian/rules, hardening.make: relocate/enhance architecture logic
to common makefile include file.
* tests/*: update to test both wrapper and include style.
.
hardening-wrapper (1.17) unstable; urgency=low
.
* Add Conflicts on binutils-gold, which also uses diversions against
gcc and friends (Closes: 535037, LP: #442636).
.
hardening-wrapper (1.16) unstable; urgency=low
.
* tests/Makefile: exclude relro test on hppa.
.
hardening-wrapper (1.15) unstable; urgency=low
.
* tests/Makefile: exclude tests based on architecture (ia64 w/o relro).
* debian/rules: disable PIE on mips/mipsel until bug 532821 is solved
(Closes: #548250).
.
hardening-wrapper (1.14) unstable; urgency=low
.
* hardened-ld: add ...BINDNOW for -Wl,-z,now ELF markings.
* debian/control: moved to standards version 3.8.2, no changes needed.
* tests/Makefile: add tests for RELRO and BIND_NOW.
* hardening-{cc,ld}.1: document BINDNOW and RELRO, add on to See Also.
.
hardening-wrapper (1.13) unstable; urgency=low
.
* hardened-cc: add ...DEBUG_SYMLINKS to visualize symlink resolution.
* hardened-cc: detect uninstalled targets and abort (Closes: #506066).
* debian/{rules,postinst,postrm}: add links for gcc-4.4.
* debian/control: moved to standards version 3.8.0, no changes needed.
.
hardening-wrapper (1.12) unstable; urgency=low
.
* hardened-cc: add -nostdlib test missing from older gcc (gcc-4.0, gcc-4.1).
* hardened-{cc,ld}: load system defaults from /etc/hardening-wrapper.conf
* hardened-{cc,ld}.1: updated man pages to mention system-wide config.
* hardened-{cc,ld}: handle relative symlinks correctly to address issues
pointed out by Sedat Dilek.
.
hardening-wrapper (1.11) unstable; urgency=low
.
* hardened-ld: disable PIE logic -- gcc should be the only part of the
toolchain requesting PIE.
* tests/Makefile: use -B instead of GCC_EXEC_PREFIX, which does not
do the right thing on all architectures.
.
hardening-wrapper (1.10) unstable; urgency=low
.
* hardened-cc, hardened-ld: re-arranged logic for "-pie". Old logic
was resulting in failed compiles under cmake.
* tests/Makefile: moved debian/rules tests into separate directory,
added -fPIC test cases, based on issues uncovered by cmake.
* debian/rules: disabled stack protector on mips, hppa -- not supported.
.
hardening-wrapper (1.9) unstable; urgency=low
.
* debian/rules:
- disable stack protector on arm, armel.
- disable PIE on arm, armel (thanks to Riku Voipio, Closes: 475764).
- show readelf output on test builds.
- fully link by tricking gcc into running the ld test wrapper.
* hello.c: re-arranged to exercise stack protector, report PIE.
* hardened-ld: add env var way to force use of /usr/bin/ld during tests.
.
hardening-wrapper (1.8) unstable; urgency=low
.
* debian/rules: disable stack protector on ia64 and alpha.
.
hardening-wrapper (1.7) unstable; urgency=low
.
* debian/rules: corrected binary-arch target (Closes: 472324).
.
hardening-wrapper (1.6) unstable; urgency=low
.
* debian/rules: build hardened-c++ from hardened-cc.
* debian/{rules,control}, hardened-cc: disable PIE by default on m68k,
hppa (Closes: #465827).
* hello.c: added test program to catch architecture-specific failures.
.
hardening-wrapper (1.5) unstable; urgency=low
.
* Fix typo in hardened-c++ self-check regex (Closes: #462682).
.
hardening-wrapper (1.4) unstable; urgency=low
.
* hardened-ld: fix relro argument passing (ld silently takes any -z arg).
.
hardening-wrapper (1.3) unstable; urgency=low
.
* hardened-{cc,c++}: fix -Wformat-security typo.
* debian/postinst: only clean up old diversions on a versioned upgrade.
* debian/postrm: do not require known arguments.
.
hardening-wrapper (1.2) unstable; urgency=low
.
* Move away from generic "builder" prefix to "hardened".
* Provide links for gcc 4.1, 4.2, and 4.3 instead of top-level links.
* Provide manpage link for package name.
* Clean up previous diversions.
* Move to "all" arch since arch-dep symlinks are no longer used.
Override entries for your package:
Announcing to backports-changes@lists.backports.org
Your package contains new components which requires manual editing of
the override file. It is ok otherwise, so please be patient. New
packages are usually added to the override file about once a week.
You may have gotten the distribution wrong. You'll get warnings above
if files already exist in other distributions.
t in other distributions.
Reply to: