From: kiasoc5--- via "Development of GNU Guix and the GNU System distribution." <guix-devel@gnu.org>
To: zimoun <zimon.toutoune@gmail.com>
Cc: "Ludovic Courtès" <ludo@gnu.org>,
"Maxim Cournoyer" <maxim.cournoyer@gmail.com>,
"Guix Devel" <guix-devel@gnu.org>
Subject: Re: Hardened toolchain
Date: Fri, 29 Apr 2022 17:51:26 +0200 (CEST) [thread overview]
Message-ID: <N0q0GJF--3-2@tutanota.com> (raw)
In-Reply-To: <87h76ccha7.fsf@gmail.com>
Apr 29, 2022, 10:31 by zimon.toutoune@gmail.com:
> Hi,
>
> On Tue, 29 Mar 2022 at 12:15, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> Stack smashing protection (SSP) may incur measurable run-time overhead
>> though so enabling that one by default may be less consensual.
>>
>
> That’s true and it could be an issue for HPC practitioners. However,
> quoting Wikipedia [1], for what it is worth:
>
> --8<---------------cut here---------------start------------->8---
> All Fedora packages are compiled with -fstack-protector since Fedora
> Core 5, and -fstack-protector-strong since Fedora 20.[19][20] Most
> packages in Ubuntu are compiled with -fstack-protector since 6.10.[21]
> Every Arch Linux package is compiled with -fstack-protector since
> 2011.[22] All Arch Linux packages built since 4 May 2014 use
> -fstack-protector-strong.[23] Stack protection is only used for some
> packages in Debian,[24] and only for the FreeBSD base system since
> 8.0.[25] Stack protection is standard in certain operating systems,
> including OpenBSD,[26] Hardened Gentoo[27] and DragonFly BSD.
> --8<---------------cut here---------------end--------------->8---
>
>
Anaconda (science package distribution) compiles their packages with a variety of security flags. These include PIE, SSP, fortify, RELRO, NOW. https://www.anaconda.com/blog/improved-security-performance-in-anaconda-distribution-5
> Well, I miss if Guix is built using this ’-fstack-protector’ flag; or
> whether it is included by default.
>
Are /any/ build flags used by default? I think right now only an empty list is used for makeflags by default. It also depends on the configuration for gcc and binutils, they can be set to enforce SSP and others by default.
> Cheers,
> simon
>
>
>
> 1: <https://en.wikipedia.org/wiki/Buffer_overflow_protection#GNU_Compiler_Collection_(GCC)>
>
next prev parent reply other threads:[~2022-04-29 16:33 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-21 13:34 Hardened toolchain zimoun
[not found] ` <Mymdzxm--3-2@tutanota.com>
2022-03-22 19:06 ` zimoun
2022-03-22 20:02 ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-25 19:39 ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-25 22:54 ` zimoun
2022-03-26 19:33 ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-26 22:02 ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-27 20:06 ` zimoun
2022-03-27 20:22 ` Maxime Devos
2022-03-28 3:17 ` Maxim Cournoyer
2022-03-28 7:35 ` zimoun
2022-03-29 0:02 ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-03-29 10:15 ` Ludovic Courtès
2022-04-14 18:59 ` kiasoc5--- via Development of GNU Guix and the GNU System distribution.
2022-04-15 15:18 ` jbranso
2022-04-15 16:04 ` Zhu Zihao
2022-04-15 16:34 ` raingloom
2022-04-26 11:07 ` Katherine Cox-Buday
2022-04-28 17:36 ` Aurora
2022-04-28 17:41 ` Katherine Cox-Buday
2022-04-28 19:53 ` Aurora
2022-04-28 17:50 ` Vagrant Cascadian
2022-04-28 19:54 ` Aurora
2022-04-29 10:31 ` zimoun
2022-04-29 15:51 ` kiasoc5--- via Development of GNU Guix and the GNU System distribution. [this message]
2022-05-02 14:55 ` Katherine Cox-Buday
2022-05-02 16:25 ` Maxime Devos
2022-05-02 17:41 ` zimoun
2022-05-02 21:10 ` Maxime Devos
-- strict thread matches above, loose matches on Subject: below --
2022-04-15 20:36 Nathan Dehnel
2022-04-16 3:51 ` raingloom
2022-03-21 4:31 kiasoc5--- via Development of GNU Guix and the GNU System distribution.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=N0q0GJF--3-2@tutanota.com \
--to=guix-devel@gnu.org \
--cc=kiasoc5@tutanota.com \
--cc=ludo@gnu.org \
--cc=maxim.cournoyer@gmail.com \
--cc=zimon.toutoune@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).