From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: Hardening
Date: Wed, 17 Aug 2016 08:49:36 +0200
Message-ID: <871t1n99fj.fsf@elephly.net>
References: <20151031215617.4df7ce04@debian> <878u6caz6z.fsf@gnu.org>
	<87k2o2a68b.fsf@gmail.com> <87y4cbsyyh.fsf_-_@gnu.org>
	<20160816235711.GA24579@jasmine>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50497)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1bZufh-0003wP-VF
	for guix-devel@gnu.org; Wed, 17 Aug 2016 02:49:55 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <rekado@elephly.net>) id 1bZufg-0004ur-12
	for guix-devel@gnu.org; Wed, 17 Aug 2016 02:49:53 -0400
In-reply-to: <20160816235711.GA24579@jasmine>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: guix-devel@gnu.org


Leo Famulari <leo@famulari.name> writes:

> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>> Alex Vong <alexvong1995@gmail.com> skribis:
>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>> > matches are found. It appears no packages are setting this flag
>> > currently. I think this flag (perhaps also a couple others) should be
>> > set by default since they help protect against buffer overflow
>> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
>> 
>> I definitely agree, that’s something I’ve been wanting to try out.
>> 
>> The question is more how.  Do we change the default #:configure-flags
>> for ‘gnu-build-system’ to something like:
>> 
>>   '("CPPFLAGS=-D_FORTIFY_SOURCE=2"
>>     "CFLAGS=-O2 -g -fstack-protector-strong")
>> 
>> ?
>> 
>> That sounds like a good starting point, but I expect that (1) one third
>> of the packages will fail to build, and (2) another third of the
>> packages will not get these flags, for instance because they pass their
>> own #:configure-flags.
>> 
>> IOW, it will take a whole rebuild to find out exactly what’s going on
>> and to fix any issues.
>> 
>> Would you like to start working on it?  Then we could create a branch,
>> have Hydra build it, and incrementally fix things.
>
> We should pick this project back up. I was suprised to find we haven't
> done anything like this after reading this recent blog post about Nix's
> hardening effort:
>
> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter

Are the above flags the only flags we’d like to play with?  There’s no
harm in letting hydra rebuild the world with these flags on a separate
branch — provided that all build nodes are usable.

~~ Ricardo