From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: Hardening Date: Mon, 30 Jan 2017 12:05:35 +0000 Message-ID: <87h94g7nxs.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> References: <20170124111934.16080-1-contact.ng0@cryptolab.net> <20170124190726.GB6110@jasmine> <87bmuw2n3j.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> <20170124210233.GB30771@jasmine> <878tq02mij.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> <8760l42m2o.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> <20170124213259.GA17982@jasmine> <87vat49l6p.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> <87tw8nxpcz.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:43997) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cYAh1-0001FC-Bo for guix-devel@gnu.org; Mon, 30 Jan 2017 07:04:20 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cYAgy-0006yJ-8P for guix-devel@gnu.org; Mon, 30 Jan 2017 07:04:19 -0500 In-Reply-To: <87tw8nxpcz.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel@gnu.org Ludovic Court=C3=A8s writes: > Hi! > > ng0 skribis: > >> For starters, I think we could have an "hardened-wip" branch on >> savannah (I can't commit anyway directly) and that we can target >> SELinux for now, look at Hardened-gentoo and other systems how >> they solve issues. Afterwards we need to address the toolchain >> level, which to our advantage can be an make and break by hydra >> and everyone who wants to contribute to fixing issues can run >> their system from the hardening-toolchain-wip branch to >> contribute to fixing all the breaking applications. >> >> Then we need to discuss wether we want to provide this by default >> (my choice) OR if we want to offer a branch-choice model. >> Supporting both vanilla and hardened might take some more burden >> on fixing issues, that's why I'm all for forming a team of people >> who work on this, and when they no longer want to, other people >> join the rest of the old team, etc. > > Before creating a branch, I think we need a plan. :-) > > Alex Vong proposed ways to achieve it a while back: > > https://lists.gnu.org/archive/html/guix-devel/2015-12/msg00702.html > > I suggest taking a look at the discussion and starting from there. Okay, I did and I don't see right now how this new (guix build build-flags) module would be applied to the gnu build system for example. Would the (gnu build system) just use it somehow? I'd like to test it, but I didn't write it. I also would like to rename it to (guix build build-flags-glibc) (or -gcc) as I want to see a point where we have more than just glibc. We don't have to build them (the substitutes,packages) all on hydra. musl and uclibc-ng can be without substitutes as long as the means of distribution or diskspace are not working out for us. And both can (and will) get hardened builds aswell. > The best option is probably to start small (limited set of > features/flags/options) and then incrementally improve that. > > Ludo=E2=80=99. --=20 ng0 -- https://www.inventati.org/patternsinthechaos/