[Pkg-pascal-devel] Lintian errors and warnings on FPC

peter green plugwash at p10link.net
Tue Jan 25 07:05:26 GMT 2022


On 25/01/2022 06:14, David Bannon wrote:
> that would also cover the situation that now applies to eg x86-64 and Arm too where hardening does not work with a statically linked binary, you need to manually force it to be a dynamic link first.
> 
> Your question ?  Personally I see little benifit in hardening on a single user, private system. But agree that its a very good thing on what we generally call a server. We should be able to do it ! 
 >
To me it's less about the system and more about the program. There are two key questions.

1. To what extent is the program used to process untrusted data. The bottom line with compilers
and related tools is that most of the time people use them on a codebase they plan to execute,
so there is little to be gained by attacking them.

2. To what extent does the language and programming style help avoid the kind of screwups that
lead to hardening being created in the first place. I'd say in this regard borland style pascal
is better than C, possiblly slightly worse than modern C++, much worse than rust.

How many pascal programs in Debian are there that do not link against the (dynamic) C library
for one reason or another *and* are likely to be used to process untrusted data?
Is the inability to harden static binaries really that big a deal?



More information about the Pkg-pascal-devel mailing list