[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardening
From: |
Ricardo Wurmus |
Subject: |
Re: Hardening |
Date: |
Wed, 17 Aug 2016 08:49:36 +0200 |
User-agent: |
mu4e 0.9.16; emacs 25.1.1 |
Leo Famulari <address@hidden> writes:
> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>> Alex Vong <address@hidden> skribis:
>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>> > matches are found. It appears no packages are setting this flag
>> > currently. I think this flag (perhaps also a couple others) should be
>> > set by default since they help protect against buffer overflow
>> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
>>
>> I definitely agree, that’s something I’ve been wanting to try out.
>>
>> The question is more how. Do we change the default #:configure-flags
>> for ‘gnu-build-system’ to something like:
>>
>> '("CPPFLAGS=-D_FORTIFY_SOURCE=2"
>> "CFLAGS=-O2 -g -fstack-protector-strong")
>>
>> ?
>>
>> That sounds like a good starting point, but I expect that (1) one third
>> of the packages will fail to build, and (2) another third of the
>> packages will not get these flags, for instance because they pass their
>> own #:configure-flags.
>>
>> IOW, it will take a whole rebuild to find out exactly what’s going on
>> and to fix any issues.
>>
>> Would you like to start working on it? Then we could create a branch,
>> have Hydra build it, and incrementally fix things.
>
> We should pick this project back up. I was suprised to find we haven't
> done anything like this after reading this recent blog post about Nix's
> hardening effort:
>
> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter
Are the above flags the only flags we’d like to play with? There’s no
harm in letting hydra rebuild the world with these flags on a separate
branch — provided that all build nodes are usable.
~~ Ricardo
- Re: Hardening, Leo Famulari, 2016/08/16
- Re: Hardening,
Ricardo Wurmus <=