guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardening


From: Leo Famulari
Subject: Re: Hardening
Date: Tue, 16 Aug 2016 19:57:11 -0400
User-agent: Mutt/1.6.0 (2016-04-01)

On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
> Alex Vong <address@hidden> skribis:
> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
> > matches are found. It appears no packages are setting this flag
> > currently. I think this flag (perhaps also a couple others) should be
> > set by default since they help protect against buffer overflow
> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
> 
> I definitely agree, that’s something I’ve been wanting to try out.
> 
> The question is more how.  Do we change the default #:configure-flags
> for ‘gnu-build-system’ to something like:
> 
>   '("CPPFLAGS=-D_FORTIFY_SOURCE=2"
>     "CFLAGS=-O2 -g -fstack-protector-strong")
> 
> ?
> 
> That sounds like a good starting point, but I expect that (1) one third
> of the packages will fail to build, and (2) another third of the
> packages will not get these flags, for instance because they pass their
> own #:configure-flags.
> 
> IOW, it will take a whole rebuild to find out exactly what’s going on
> and to fix any issues.
> 
> Would you like to start working on it?  Then we could create a branch,
> have Hydra build it, and incrementally fix things.

We should pick this project back up. I was suprised to find we haven't
done anything like this after reading this recent blog post about Nix's
hardening effort:

https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter



reply via email to

[Prev in Thread] Current Thread [Next in Thread]