From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0 <contact.ng0@cryptolab.net>
Subject: Re: Hardening
Date: Mon, 30 Jan 2017 12:16:01 +0000
Message-ID: <87efzk7nge.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>
References: <20170124111934.16080-1-contact.ng0@cryptolab.net>
	<20170124190726.GB6110@jasmine>
	<87bmuw2n3j.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>
	<20170124210233.GB30771@jasmine>
	<878tq02mij.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>
	<8760l42m2o.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>
	<20170124213259.GA17982@jasmine>
	<87vat49l6p.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>
	<87tw8nxpcz.fsf@gnu.org>
	<87h94g7nxs.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46644)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <contact.ng0@cryptolab.net>) id 1cYAr7-0000Wu-5N
	for guix-devel@gnu.org; Mon, 30 Jan 2017 07:14:46 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <contact.ng0@cryptolab.net>) id 1cYAr4-00016q-0S
	for guix-devel@gnu.org; Mon, 30 Jan 2017 07:14:45 -0500
In-Reply-To: <87h94g7nxs.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel@gnu.org

ng0 <contact.ng0@cryptolab.net> writes:

> Ludovic Court=C3=A8s <ludo@gnu.org> writes:
>
>> Hi!
>>
>> ng0 <contact.ng0@cryptolab.net> skribis:
>>
>>> For starters, I think we could have an "hardened-wip" branch on
>>> savannah (I can't commit anyway directly) and that we can target
>>> SELinux for now, look at Hardened-gentoo and other systems how
>>> they solve issues.  Afterwards we need to address the toolchain
>>> level, which to our advantage can be an make and break by hydra
>>> and everyone who wants to contribute to fixing issues can run
>>> their system from the hardening-toolchain-wip branch to
>>> contribute to fixing all the breaking applications.
>>>
>>> Then we need to discuss wether we want to provide this by default
>>> (my choice) OR if we want to offer a branch-choice model.
>>> Supporting both vanilla and hardened might take some more burden
>>> on fixing issues, that's why I'm all for forming a team of people
>>> who work on this, and when they no longer want to, other people
>>> join the rest of the old team, etc.
>>
>> Before creating a branch, I think we need a plan.  :-)
>>
>> Alex Vong proposed ways to achieve it a while back:
>>
>>   https://lists.gnu.org/archive/html/guix-devel/2015-12/msg00702.html
>>
>> I suggest taking a look at the discussion and starting from there.
>
> Okay, I did and I don't see right now how this new (guix build
> build-flags) module would be applied to the gnu build system for
> example.
> Would the (gnu build system) just use it somehow? I'd like to
> test it, but I didn't write it.

Sorry, correction:
I must have skipped the explanation at the beginning, I do
understand it.
And it makes sense=E2=80=A6 it's in the interest of my blend of GuixSD,
so unless someone really has a burning desire to work on this, I
will try to produce something functional with changes to the
build system(s) to use hardened flags by default, with opt-out
for: other build-systems I do not understand, and whatnot.
There's no harm in not providing something like:

  #:hardened? #f

for those applications which still need to be patched, but I
prefer to fix rather than provide the easy way out.

> I also would like to rename it to (guix build build-flags-glibc)
> (or -gcc) as I want to see a point where we have more than just
> glibc. We don't have to build them (the substitutes,packages) all
> on hydra. musl and uclibc-ng can be without substitutes as long
> as the means of distribution or diskspace are not working out for us.
> And both can (and will) get hardened builds aswell.
>
>> The best option is probably to start small (limited set of
>> features/flags/options) and then incrementally improve that.
>>
>> Ludo=E2=80=99.
>
> --=20
> ng0 -- https://www.inventati.org/patternsinthechaos/

--=20
ng0 -- https://www.inventati.org/patternsinthechaos/