On Mon, Mar 04, 2019 at 07:20:39AM +0300, Arthur D. wrote:
> Hello guys.
>
> I'm currently migrating the packages I have in touch to newer debian
> compat level. And there's one thing I want to discuss.
>
> Recently I noticed that binaries in migrated packages are bigger in
> size. Let's take for example, libosso1 package. It's binary sizes for
> migrated vs non-migrated:
> libosso.so.1.3.0 51204
> libosso.so.1.3.0 47092
>
> It's about 8% increase.
>
> So I figured out what was the reason. And it's the usage of gcc/g++
> -fstack-protector-strong option in debian upstream. You may read
> about this option here https://wiki.debian.org/Hardening and here
> https://lwn.net/Articles/584225/
>
> So my question is:
>
> * should we avoid using this option in our packages to have our binaries
> less in space + work faster but with lack of some security protection from
> stack attacks?
>
> OR
>
> * just use debian upstream CFLAGS with additional security to the binaries
> it offers?
>
> We may also have this option enabled for some packages and disabled for
> others,
> so we will need to maintain a list of packages which should be protected and
> which should not.
>
> One more thing to consider is that until now most of our packages are not
> migrated to modern debian compat level / sequencer. So they are unprotected
> just like in Maemo Fremantle.

I think we should strive for keeping it enabled, and also porting all
the packages to at least debhelper compat 9.