[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Plan for Guix security (was Re: Long term plan for GuixSD security:
From: |
Ludovic Courtès |
Subject: |
Re: Plan for Guix security (was Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support) |
Date: |
Sat, 05 Jan 2019 18:47:23 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Hello,
Marius Bakke <address@hidden> skribis:
> Alex Vong <address@hidden> writes:
>
>> Besides, I remember we have discuss about hardening before. Should I
>> start a new hardening branch? (although I don't time to work on it right
>> now). I think this is something we can do now.
>>
>> My idea is to create a new guix module (guix build hardening) which
>> should contains various build flags. Then we should modifiy each build
>> system to import from this new module and fix any build error caused by
>> it. We can ask the build farm to evaluate this new branch, right?
>>
>>
>> What do you think?
>
> Thank you for taking the initiative! This sounds great to me. I
> imagine the build systems could get an argument along the lines of
> #:hardening-flags '(pie fortify stack-protector ...).
>
> For gnu-build-system, I suppose we'd build up CFLAGS, LDFLAGS and
> friends? We'll also have to modify all packages that override those
> variables.
Sounds like a plan. I think Alex proposed something along these lines
long ago.
The difficulty will lie in finding a way to pass those flags reliably
through the build system…
Ludo’.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Plan for Guix security (was Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support),
Ludovic Courtès <=