[debian-mysql] How to replace the deprecated hardening-wrapper for MySQL and MariaDB packages properly?

Otto Kekäläinen otto at seravo.fi
Thu Sep 18 08:04:53 UTC 2014


Comments anybody?

2014-09-14 18:14 GMT+03:00 Otto Kekäläinen <otto at seravo.fi>:
> Hello!
>
> We already touched this, but there wasn't much response so I'll try to
> get your attention again about how to correctly replace
> hardening-wrapper in packages mysql-5.5, mysql-5.6, mariadb-5.5 and
> mariadb-10.0 (or maybe we can skip the 5.5 versions if upgrades
> progress soon).
..
> I see that Björn addressed this these commits:
> http://anonscm.debian.org/cgit/pkg-mysql/mysql-5.6.git/commit/?id=7715b754bdc78d55c01129a4640a856f6dd22c80
> and
> http://anonscm.debian.org/cgit/pkg-mysql/mysql-5.6.git/commit/?id=195daacf50f7e1a821c55ff06ca6c139c5ae5461
..
> +export DEB_BUILD_MAINT_OPTIONS = hardening=+all

Björn: what about this line, what are the motivation for it?

I need your help, I am not smart enough to apply the sentence "When
building programs that handle untrusted data (parsers, network
listeners, etc.), or run with elevated privileges (PAM, X, etc.),
please enable "PIE" and "BINDNOW" in the build. The "all" option
enables "PIE" and "BINDNOW" and future hardening flags" at
https://wiki.debian.org/Hardening to the mysql/mariadb case (which by
the way isn't identical in PIE usage, but still share a lot), I don't
directly understand why this is needed or how it works.



More information about the pkg-mysql-maint mailing list