From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Hardening Date: Wed, 30 Dec 2015 17:06:30 +0100 Message-ID: <87y4cbsyyh.fsf_-_@gnu.org> References: <20151031215617.4df7ce04@debian> <878u6caz6z.fsf@gnu.org> <87k2o2a68b.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60265) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aEJGm-0004Wh-M8 for guix-devel@gnu.org; Wed, 30 Dec 2015 11:06:37 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aEJGj-0006bl-V9 for guix-devel@gnu.org; Wed, 30 Dec 2015 11:06:36 -0500 In-Reply-To: <87k2o2a68b.fsf@gmail.com> (Alex Vong's message of "Fri, 25 Dec 2015 23:38:28 +0800") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Alex Vong Cc: guix-devel@gnu.org Alex Vong skribis: > ludo@gnu.org (Ludovic Court=C3=A8s) writes: [...] >> Alex Vong skribis: >> >>> From 6ad35e245c374ff828f167bb3467ce68559ccefd Mon Sep 17 00:00:00 2001 >>> From: Alex Vong >>> Date: Sat, 31 Oct 2015 19:44:13 +0800 >>> Subject: [PATCH 1/2] Add (guix build build-flags). >>> >>> A module to manipulate build flags, similar to dpkg-buildflags. >>> >>> * guix/build/build-flags.scm: New file. >>> * Makefile.am (MODULES): Register it. >> >> [...] >> >>> +;;; Module to manipulate build flags, similar to dpkg-buildflags. >> >> It doesn=E2=80=99t really help to refer to dpkg-buildflags, at least for= me. ;-) >> > Sure, I should have elaborated more on it. What I am looking for are > ways to avoid repeating a lot of flags in different packages, something > like `use this set of flags, please'. For example, in Debian, if you > type > > $ dpkg-buildflags --get CFLAGS > > you get > > -g -O2 -fstack-protector-strong -Wformat -Werror=3Dformat-security > > which are thr default flags to be exported during package > build. Moroever, maintainer can alter the default behaviour by setting > DEB_BUILD_MAINT_OPTIONS. For example, > > $ DEB_BUILD_MAINT_OPTIONS=3Dhardening=3D+all dpkg-buildflags --get CFLAGS > > will return > > -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=3Dformat-security I see. My comment was more about the code itself, whose documentation should be self-contained as much as possible. [...] >> I=E2=80=99ve been thinking we should experiment with these various optio= ns. The >> way I=E2=80=99d do it now would be by running: >> >> ./configure x y z CPPFLAGS=3D-D_FORTIFY_SOURCE=3D2 CFLAGS=3D-fstack-pr= otector >> >> This would be just automatically added to #:configure-flags in >> gnu-build-system.scm. >> >> Of course, some packages would ignore them and others would break, but >> that=E2=80=99s part of the game. It largely have to be approached on a >> case-by-case basis. >> > Yes, I grep for `fstack-protector-strong' in the guix code base and no > matches are found. It appears no packages are setting this flag > currently. I think this flag (perhaps also a couple others) should be > set by default since they help protect against buffer overflow > . I definitely agree, that=E2=80=99s something I=E2=80=99ve been wanting to t= ry out. The question is more how. Do we change the default #:configure-flags for =E2=80=98gnu-build-system=E2=80=99 to something like: '("CPPFLAGS=3D-D_FORTIFY_SOURCE=3D2" "CFLAGS=3D-O2 -g -fstack-protector-strong") ? That sounds like a good starting point, but I expect that (1) one third of the packages will fail to build, and (2) another third of the packages will not get these flags, for instance because they pass their own #:configure-flags. IOW, it will take a whole rebuild to find out exactly what=E2=80=99s going = on and to fix any issues. Would you like to start working on it? Then we could create a branch, have Hydra build it, and incrementally fix things. Thanks, Ludo=E2=80=99.