[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Plan for Guix security (was Re: Long term plan for GuixSD security:
|
From: |
Marius Bakke |
|
Subject: |
Re: Plan for Guix security (was Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support) |
|
Date: |
Wed, 26 Dec 2018 14:42:03 +0100 |
|
User-agent: |
Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1 (x86_64-pc-linux-gnu) |
Hello!
Alex Vong <address@hidden> writes:
> Besides, I remember we have discuss about hardening before. Should I
> start a new hardening branch? (although I don't time to work on it right
> now). I think this is something we can do now.
>
> My idea is to create a new guix module (guix build hardening) which
> should contains various build flags. Then we should modifiy each build
> system to import from this new module and fix any build error caused by
> it. We can ask the build farm to evaluate this new branch, right?
>
>
> What do you think?
Thank you for taking the initiative! This sounds great to me. I
imagine the build systems could get an argument along the lines of
#:hardening-flags '(pie fortify stack-protector ...).
For gnu-build-system, I suppose we'd build up CFLAGS, LDFLAGS and
friends? We'll also have to modify all packages that override those
variables.
signature.asc
Description: PGP signature