On Mon, Oct 20, 2025 at 08:24:46AM +0300, jasem masry wrote:
I want to secure debian against vulnerabilities exploitation and I know
that I should use compiler flags but the problem is there are many apps on >the system should I compiling its app by app or there are a practical >solution for that I want urls to articles on the web for the solution to
save your time
Consider whether this is a good use of your time in the first place.
Modern versions of Debian already apply a number of hardening options
via compiler flags (see the output of "dpkg-buildflags", if you have the dpkg-dev package installed). If you were to find additional strategies
that were generally applicable across the whole distribution, then those
would likely be things we'd want to enable in Debian; but a lot of
people have already spent a lot of time on this in Debian, and if you're coming to it from scratch without prior experience, it would probably
take quite some time before you found viable approaches that they
didn't.
Unless you were to put a great deal of complex automation in place, I
think it's likely that attempting to recompile everything with different compiler options would lose you more effective security (due to being
slower to apply updates) than you'd gain.
In practical terms, your time is probably better spent on other
approaches.
https://wiki.debian.org/SecurityManagement has some ideas
and useful links.
--
Colin Watson (he/him) [
cjwatson@debian.org]
--- PyGate Linux v1.5
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)