Re: hardening

[ng0]

Let's keep this thread as the thread to discuss possible solutions and work
in that field.

Yesterday Marius wrote on IRC 
(https://gnunet.org/bot/log/guix/2018-03-21#T1657250):

[        ]      <mbakke>        This is a pretty good article about build flags 
(mainly hardening related): 
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-...
[        ]      <mbakke>        It would be great to have a "#:hardening?" 
option with additional provisions for specific flags.

The link in full: 
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/

Nix has an a functionality to disable hardening:
https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=harden&type=
for example visible here: 
https://github.com/NixOS/nixpkgs/commit/f5b04628f00e98e4c757466ab6be2c125d89feeb

I have some more notes on Gentoo I'll add next month.

Food for thought:
If we go all in, we might have to recompile the bootstrap binaries.


keyword #:hardening-flags is a good entry for manually fixing packages up to
the point where they work with hardened flags. Caveat is, not everything will
work good or even at all with hardened-flags and toolchain.
So we are presented with 2 options.
1) Selectively harden what is possible through the keyword mentioned above
or
2) harden by default and switch off flags through something like 
#:hardening-exclude
   which would default to the empty list and otherwise would remove the 
elements in its
   list from the list of flags.

Further thoughts:
#:hardened? could be a simple check so that having package-graphs which are not 
hardened
are possible. We would default to #t, off would be #f obviously.


My work in progress so far is to work this into the gnu-build-system, which 
seemed like
a good starting point.

I'm in favor of option 2 coupled with the keyword to disable hardening 
altogether.

WDYT?
-- 
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is