Hardening subgoal for Wheezy:
All packages, which had a DSA since 2006. 

Instructions:
- After checking a package, add it to the "Candidates:" or "Non-candidates:" list
- After NMUing a candidate where all build flags have been successfully enabled, 
  add it to the "Resolved/fixed:" list
- After NMUing a candidate with only some of the build flags enabled, add it to
  the "Partially fixed: list (in order to remember what needs further work in the 
  future)
- cdbs packages should be fixed automatically, but needs to be double-checked


Candidates:

alsaplayer (654518)
amarok (653354)
apt (653504)
asterisk (653944)
barnowl (653506)
beid (653956)
bochs (653511)
bzip2 (655164)
capi4hylafax (653539)
chrony (655123)
clamav (653958)
courier-authlib (655168)
cpio (654522)
cscope (653490)
ctorrent (653536)
devil (653535)
dspam (655189)
dovecot (653530)
drbd8 (currently broken: #654459)
e2fsprogs (654457)
ejabberd
ekg (653531)
emacs23 (655118)
expat (653526)
file (653481)
flex (655414)
freeciv (654809)
freeradius
ganglia (655126)
eglibc
gmime2.4
pioneers
gnumeric
gnupg (653480)
gzip (currently broken: 653960)
hashcash (655864)
heartbeat
hostapd
hplip
httrack
hylafax (656260)
iceape
iceweasel (653191)
imagemagick
imlib2 (656512)
inotify-tools
ircd-hybrid
isakmpd
iscsitarget
kazehakase
krb5-appl
l2tpns
lasso
lcms (654821)
libapache2-mod-authnz-external
libapache2-mod-auth-pgsql
libapache-mod-auth-kerb
libapache-mod-jk
libav
cairo (655128)
libcgroup (654819)
libdumb
libexif (650998)
libextractor
libfishsound
libmikmod
libmodplug (654817)
librpcsecgss (654808)
libtk-img
libtool
libtunepimp (654832)
libvorbis
libwpd (653947)
libxfont (654154)
libxslt (655601)
links2 (654807)
linux-ftpd (656005)
loop-aes-utils (656009)
ltsp
lurker
lvm2
maildrop (655133)
mapserver
maradns
memcached (655134)
mimetex
mlmmj (655893)
mono
mplayer
mplayer2
forked-daapd (654147)
multipath-tools
mutt (654148)
mysql-ocaml
icinga
nas (655743)
nbd (653954)
ndiswrapper (655249)
netpbm-free (655737)
netrik (656004)
net-snmp
newt
nginx
noweb
nspr
nss
ntp
openafs
open-iscsi
openjdk-6
libreoffice
opensaml2 (656006)
openssl (653495)
openswan (655139)
openvpn (655130)
pam-pgsql (656003)
pcre3 (656008)
pdns
pdns-recursor
perdition (655412)
perl
ppp
pptpd
proftpd-dfsg
pstotext (655105)
pygresql
python2.7
python3.2
python-cjson
qemu (656276)
qemu-kvm
qt4-x11
qt-x11-free
rssh (654155)
rsync (652248)
ruby-gnome2 (655415)
sash (654909)
screen (656513)
slurm-llnl
smstools
snmptrapfmt
socat (654152)
spamassassin
spamass-milter
speex (655880)
splitvt (656027)
squidguard (656028)
subversion
suphp (655419)
syslog-ng (655163)
systemtap (655882)
tcpreen (655250)
telepathy-gabble
texinfo
tgt (656127)
tinyproxy (655870)
tk8.4
tk8.5
unbound
unicon
unzip (656268)
vlc
vnc4
webcit
webkit
wine
wxwidgets2.8
wzdftpd (655141)
x11-xserver-utils (655503)
xapian-omega
xine-lib (655146)
xmlsec1
xml-security-c
xmltooling
zabbix
zodb
vsftpd (655103)
collectd (656271)
id3lib3.8.3 (656272)
pcsc-lite (656273)
exiv2 (656356)
opensc (656350)
openexr (656506)
libcdaudio (656507)

Packages using dh, but which need additional multiarch changes for compat 9:
libtorrent-rasterbar


Packages using Makefile.PL, needs additional research:
libhtml-parser-perl
libdbd-pg-perl
libimager-perl
libnet-dns-perl
wml


Packages using Scons, needs additional research:
blender

Packages using cmake, needs additional research:
kaffeine
kdebase
kde4libs
kdegraphics
ktorrent
kvirc
wesnoth-1.9
psi


Packages, which should rather be removed than hardened:
cgiirc (suggested removal in #653510)
djbdns
dkim-milter (currently broken, dropped from testing: #629663)
kolab-cyrus-imapd (will be removed and built from the cyrus-2.4 package; #647221)
osiris (suggested removal in 655116)
scponly (RM bug: 650590)



Candidate packages using cdbs, needs further studying:
sympa
libgd2
icedove
ghostscript
libvirt
gimp
koffice
libspf2
wordnet
sendmail
afuse
bomberclone
camlimages
couchdb
crossfire
dvipng
eggdrop
gdm3
glib2.0
gnutls26
gst-plugins-bad0.10
gst-plugins-good0.10
heimdal
icu
jabberd14
libapache2-mod-fcgid
evince
libast
libgtop2
libnss-ldap
libpam-ldap
libsoup2.4
libtasn1-3
libtheora
link-grammar
lsh-server
mediawiki
moin
pango1.0
pmount
polipo
poppler
postgresql-ocaml
pulseaudio
ruby1.8
ruby1.9.1
squid3
streamripper
sword
t1lib
unalz
uw-imap
vino


Fixed:
samba (2:3.5.11~dfsg-2)
mailman (1:2.1.14-3)
flac (1.2.1-6)
xorg-server (2:1.11.1.901-1)
openldap (2.4.25-4)
vim (2:7.3.346-1)
freetype (2.4.7-2)
python-crypto (2.4-1)
xorg-server (2:1.11.1.901-1)
xpdf (3.03-7)
fetchmail (6.3.21-3)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
network-manager (0.9.1.95-1)
libmusicbrainz-2.1 (2.1_2.1.5-6.1)
tmux (1.6~svn2630-2)
tcpdump (4.2.0~rc1-2)
libthai (0.1.16-1)
git (1:1.7.7.2-1)
man-db (2.6.0.2-3)
elinks (0.12~pre5-6)
zgv (5.9-4)
jasper (1.900.1-11)
xfs (1.0.8-7)
fbi (2.07-9) 
reprepro (4.5.0-1)
antiword (0.37-8) (653499)
wv2 (0.4.2.dfsg.1-5)
dpkg (1.16.1)
fuse (2.8.6-3)
fontforge (0.0.20110222-6) (653534)
apache2 (2.2.21-4)
cabextract (1.4-2) (653509)
htdig (3.2.0b6-12)
xterm (276-2) (653488)
enscript (1.6.5.90-2) (653528)
amule (2.3.1-2) (653503)
gv (1:3.7.1-2)
bluez-hcidump (2.1-2) (653507)
lighttpd (1.4.30-1) (654151)
pimd (2.1.8-2) (654081)
chmlib (2:0.40a-2) (653955)
lynx-cur (6.6.7-4) (654097)
rdesktop (1.7.0-2) (653498)
libpam-krb5 (4.5-3) (654293)
curl (7.23.1-3) (654521)
audiofile (0.3.2-1) (651029)
libarchive (2.8.5-2)
courier (0.66.3-2) (654794)
libsndfile (1.0.25-4) (654831)
libwmf (0.2.8.4-10)
exiftags (1.01-5) (654804) 
nss-pam-ldapd (0.8.5)
isc-dhcp (4.2.2-2)
sdl-image1.2 (1.2.10-3)
mtr (0.82-2) (654117)
dia (0.97.2-4)
libpng (1.2.46-4) (654149)
mldonkey (3.1.0-3) (655140)
avahi (0.6.30-6) (655188)
mon (1.2.0-5) (655137)
acpid (1:2.0.14-2) (653502)
libsmi (0.4.8+dfsg2-5) (654812)
sudo (1.8.3p1-3) (655417)
zoo (2.10-25) (655499)
citadel (8.04-1) (653514)
firebird2.5 (2.5.2~svn+53854.ds4-1) (654793)
wget (1.13.4-2) (654908)
krb5 (1.10+dfsg~beta1-1) (655248)
libxml2 (2.7.8.dfsg-6) (654903)
lftp (4.3.4-1)




Hardening incomplete:
gtetrinet (653443)
ncompress (relro missing)


Packages, which use hardened build flags manually, but not yet dpkg-buildflags:
apr
apr-util
pound (654833)
mpg123



Packages using hardening-wrapper/-includes (these are considered fixed, although
   switching them over to dpkg-buildflags might be worthwhile later on):
netatalk
strongswan
graphicsmagick
udev
xfce4-terminal
openssh
evolution
dbus
libgsf
tor
evolution-data-server
cyrus-imapd-2.4
aria2
mysql-5.1
cups
wireshark
squid
exim4
php5
ipsec-tools
postgresql-8.4
postgresql-9.0
postgresql-9.1
gnupg2
nagios3
tiff
bind9
postfix
chromium-browser
pidgin
nagios-plugins
znc
cyrus-sasl2
ldns
quagga
nsd3