From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: Hardening (was: Re: tor: update to 0.2.9.9) Date: Tue, 24 Jan 2017 21:56:14 +0000 Message-ID: <87vat49l6p.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> References: <20170124111934.16080-1-contact.ng0@cryptolab.net> <20170124190726.GB6110@jasmine> <87bmuw2n3j.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> <20170124210233.GB30771@jasmine> <878tq02mij.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> <8760l42m2o.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> <20170124213259.GA17982@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60470) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cW93d-0005gu-0V for guix-devel@gnu.org; Tue, 24 Jan 2017 16:55:18 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cW93Z-00037d-59 for guix-devel@gnu.org; Tue, 24 Jan 2017 16:55:17 -0500 Received: from latitanza.investici.org ([2001:888:2000:56::19]:36143) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cW93Y-00037M-Rz for guix-devel@gnu.org; Tue, 24 Jan 2017 16:55:13 -0500 In-Reply-To: <20170124213259.GA17982@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari writes: > On Tue, Jan 24, 2017 at 09:18:55PM +0000, ng0 wrote: >> ng0 writes: >> > Leo Famulari writes: >> >>> It would be great to see some movement on this during this >> >>> year. I volunteer to help with it, though I don't have as much >> >>> experience with SELinux (and only basic experience with >> >>> GrSecurity without a modular kernel like GuixSD uses). >> >> >> >> Yes, this effort needs a champion. >>=20 >> No, I would say this needs an effort of more than one person. At >> best a team of people who either are willing to learn about >> system hardening or already know enough, maybe even a combination >> of both to share knowledge :) > > Sure, the more people the better. But so far, not a single person has > begun working on it, so I'd be happy with just one. I feel confident enough to do it, but I also know that I am overloaded with packages and services I work on. For starters, I think we could have an "hardened-wip" branch on savannah (I can't commit anyway directly) and that we can target SELinux for now, look at Hardened-gentoo and other systems how they solve issues. Afterwards we need to address the toolchain level, which to our advantage can be an make and break by hydra and everyone who wants to contribute to fixing issues can run their system from the hardening-toolchain-wip branch to contribute to fixing all the breaking applications. Then we need to discuss wether we want to provide this by default (my choice) OR if we want to offer a branch-choice model. Supporting both vanilla and hardened might take some more burden on fixing issues, that's why I'm all for forming a team of people who work on this, and when they no longer want to, other people join the rest of the old team, etc. Right now I'm trying to get uclib-ng done for a while, and when this is added, we could at some point handle more than one toolchain (and hardened), where it gets complicated. --=20 =E2=99=A5=E2=92=B6 ng0 -- https://www.inventati.org/patternsinthechaos/