Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

alsaplayer (654518)
amarok (653354)
apt (653504)
asterisk (653944)
barnowl (653506)
beid (653956)
bochs (653511)
bzip2 (655164)
capi4hylafax (653539)
chrony (655123)
citadel (653514)
clamav (653958)
courier-authlib (655168)
cpio (654522)
cscope (653490)
ctorrent (653536)
devil (653535)
dspam (655189)
dovecot (653530)
drbd8 (currently broken: #654459)
e2fsprogs (654457)
ejabberd
ekg (653531)
emacs23 (655118)
expat (653526)
file (653481)
flex
freeciv (654809)
freeradius
ganglia (655126)
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip
hashcash
heartbeat
hostapd
hplip
httrack
hylafax
iceape
iceweasel (653191)
imagemagick
imlib2
inotify-tools
ircd-hybrid
isakmpd
iscsitarget
kazehakase
krb5 (655248)
krb5-appl
l2tpns
lasso
lcms (654821)
lftp
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libav
cairo (655128)
libcgroup (654819)
libdbd-pg-perl
libdumb
libexif (650998)
libextractor
libfishsound
libhtml-parser-perl
libimager-perl
libmikmod
libmodplug (654817)
libnet-dns-perl
librpcsecgss (654808)
libtk-img
libtool
libtunepimp (654832)
libvorbis
libwpd (653947)
libxfont (654154)
libxml2 (654903)
libxslt
links2 (654807)
linux-ftpd
loop-aes-utils
ltsp
lurker
lvm2
maildrop (655133)
mapserver
maradns
memcached (655134)
mimetex
mlmmj
mono
mplayer
mplayer2
forked-daapd (654147)
multipath-tools
mutt (654148)
mysql-ocaml
icinga
nas
nbd (653954)
ndiswrapper (655249)
netpbm-free
netrik
net-snmp
newt
nginx
noweb
nsd3
nspr
nss
ntp
openafs
open-iscsi
openjdk-6
libreoffice
opensaml2
openssl (653495)
openswan (655139)
openvpn (655130)
pam-pgsql
pcre3
pdns
pdns-recursor
perdition
perl
ppp
pptpd
proftpd-dfsg
psi
pstotext (655105)
pygresql
python2.7
python3.2
python3.3
python-cjson
qemu
qemu-kvm
qt4-x11
qt-x11-free
rssh (654155)
rsync (652248)
ruby-gnome2
sash (654909)
scponly
screen
slurm-llnl
smstools
snmptrapfmt
socat (654152)
spamassassin
spamass-milter
speex
splitvt
squidguard
strongswan
subversion
sudo
suphp
syslog-ng (655163)
systemtap
tcpreen (655250)
telepathy-gabble
texinfo
tgt
tinyproxy
tk8.4
tk8.5
unbound
unicon
unzip
vlc
vnc4
webcit
webkit
wesnoth
wget (654908)
wine
wml
wxwidgets2.6
wxwidgets2.8
wzdftpd (655141)
x11-xserver-utils
xapian-omega
xine-lib (655146)
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
zoo
vsftpd (655103)
collectd


Packages using dh, but which need additional multiarch changes for compat 9:
opensc
openexr
libtorrent-rasterbar
exiv2
libcdaudio
pcsc-lite
id3lib3.8.3


Packages using cdbs, which need additional fixes:
icedove

Packages using Scons, needs additional research:
blender

Packages using cmake, needs additional research:
kaffeine
kdebase
kde4libs
kdegraphics
ktorrent
kvirc


Packages, which should rather be removed than hardened:
cgiirc (suggested removal in #653510)
djbdns
dkim-milter (currently broken, dropped from testing: #629663)
kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
osiris (suggested removal in 655116)



Candidate packages using cdbs, fixed with the next upload after 2011-09-23 with
  the upload of dpkg/1.16.1:
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
libvirt (0.9.6-1)
gimp (2.6.11-4)
ghostscript (9.04~dfsg-1)
samba (2:3.5.11~dfsg-2)
libgd2 (2.0.36~rc1~dfsg-6)
sympa (6.1.7~dfsg-1)
mailman (1:2.1.14-3)
ncompress (4.2.4.4-3)
xzgv (5.9-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)
lighttpd (1.4.30-1) (654151)
pimd (2.1.8-2) (654081)
chmlib (2:0.40a-2) (653955)
lynx-cur (6.6.7-4) (654097)
rdesktop (1.7.0-2) (653498)
libpam-krb5 (4.5-3) (654293)
curl (7.23.1-3) (654521)
audiofile (0.3.2-1) (651029)
libarchive (2.8.5-2)
courier (0.66.3-2) (654794)
libsndfile (1.0.25-4) (654831)
libwmf (0.2.8.4-10)
exiftags (1.01-5) (654804) 
nss-pam-ldapd (0.8.5)
isc-dhcp (4.2.2-2)
sdl-image1.2 (1.2.10-3)
mtr (0.82-2) (654117)
dia (0.97.2-4)
libpng (1.2.46-4) (654149)
mldonkey (3.1.0-3) (655140)
avahi (0.6.30-6) (655188)
mon (1.2.0-5) (655137)
acpid (1:2.0.14-2) (653502)
libsmi (0.4.8+dfsg2-5) (654812)





Hardening incomplete:
gtetrinet (653443)
firebird2.5 (654793)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util
pound (654833)
mpg123



Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga