From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp10.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms0.migadu.com with LMTPS
	id 6FHCHPKMWWINxAAAgWs5BA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 15 Apr 2022 17:19:14 +0200
Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp10.migadu.com with LMTPS
	id ANdtFfKMWWKrTgAAG6o9tA
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Fri, 15 Apr 2022 17:19:14 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id CF5EA2AEFC
	for <larch@yhetil.org>; Fri, 15 Apr 2022 17:19:13 +0200 (CEST)
Received: from localhost ([::1]:43366 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1nfNj6-0000c8-NW
	for larch@yhetil.org; Fri, 15 Apr 2022 11:19:12 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:52282)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jbranso@dismail.de>)
 id 1nfNiq-0000bk-V5
 for guix-devel@gnu.org; Fri, 15 Apr 2022 11:18:56 -0400
Received: from mx1.dismail.de ([78.46.223.134]:28595)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <jbranso@dismail.de>)
 id 1nfNio-0002Qi-A0; Fri, 15 Apr 2022 11:18:56 -0400
Received: from mx1.dismail.de (localhost [127.0.0.1])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id 62a1181a;
 Fri, 15 Apr 2022 17:18:50 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=
 mime-version:date:content-type:content-transfer-encoding:from
 :message-id:subject:to:cc:in-reply-to:references; s=20190914;
 bh=XTzcWQ2dWqOKcOgygcprA1D7ffe6hBAlSI5D4J1cYWs=; b=UpzMyhBjTw1m
 1ikIp2X5+NFrCefjPBpMYR2zxPifTDPx6G8VPoX6Rs9O5p3Dsgkr7YIAZFnL8UBg
 3DQsZiNZsWvQnW/dmc8craE+Rg8/V+AHrmFebdjs6y/hPl1fZnxpO0QCfYn6m+my
 nvI+/EguIVDpn1sKApJRyuU3SXUFKyb9BOJ7xcPCSF7PsbWLf+bod6emwPK/JKmi
 1VxDl1uewOqmJU/s9497Z2ceL6jAxcYiXKSSoaF7I1TQuH0E0ekNRLSGRogA6Hut
 FsJkx7IUA4C39EEubJK2Mf3cPhmKCiHW7QWIo8DloEj/S4aTbglhwOeWviCG4Fwf
 1s44QD2BHg==
Received: from smtp1.dismail.de (<unknown> [10.240.26.11])
 by mx1.dismail.de (OpenSMTPD) with ESMTP id f2dc39b2;
 Fri, 15 Apr 2022 17:18:49 +0200 (CEST)
Received: from smtp1.dismail.de (localhost [127.0.0.1])
 by smtp1.dismail.de (OpenSMTPD) with ESMTP id d802d406;
 Fri, 15 Apr 2022 17:18:49 +0200 (CEST)
Received: by dismail.de (OpenSMTPD) with ESMTPSA id ec68459a
 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); 
 Fri, 15 Apr 2022 17:18:49 +0200 (CEST)
MIME-Version: 1.0
Date: Fri, 15 Apr 2022 15:18:48 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: RainLoop/1.14.0a
From: jbranso@dismail.de
Message-ID: <cf51913efd3c9ce80eaecc72bf52b45f@dismail.de>
Subject: Re: Hardened toolchain
To: kiasoc5@tutanota.com, "=?utf-8?B?THVkb3ZpYyBDb3VydMOocw==?=" <ludo@gnu.org>
Cc: "Maxim Cournoyer" <maxim.cournoyer@gmail.com>, "Maxime Devos"
 <maximedevos@telenet.be>, "Guix Devel" <guix-devel@gnu.org>, "zimoun"
 <zimon.toutoune@gmail.com>
In-Reply-To: <N-dRXVo--B-2@tutanota.com>
References: <N-dRXVo--B-2@tutanota.com> <874k3r8m4m.fsf@gmail.com>
 <8464b1bff3acb0a84f46ea6dcbbeaa7045b03d1c.camel@telenet.be>
 <874k3iwysf.fsf@gmail.com> <87pmm512uv.fsf@gnu.org>
Received-SPF: pass client-ip=78.46.223.134; envelope-from=jbranso@dismail.de;
 helo=mx1.dismail.de
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1650035953;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=uFdLiRuRSBs7lPF52oWS44NNHyuScOpqePeW+SJTA78=;
	b=tk/GiR0GcQc3I/T21J3f9engodFmLhK1EtUwfmLKE/Jxn5+E5fjQVyUmDj7ujiDOwHLOw+
	Bh/yEsKnfKsFI8ZxZ40xO3QiSPQpTmpqk0nlfTV0H8+lzuStRYz/L6svxeTLBnfThzoGMS
	1GCwfWi/WKkESwJqoXWbj+PwPuRatWEeaVnFHHyGIUkcfRWLEBNzcdpR03SHNiyUEOU/sy
	YjbzE/g/RQu4uMyVdeFjIfO1MKVJwxDfs86WFaIkqin1csRW8vTI+Usa09LJasrEbHxrin
	+dJ//eBQMRyjc1lmjdd4Z8R62eAmk8sXwLzjXU+Gd2z4NCXMGo6Tqi0U+pO/1A==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1650035953; a=rsa-sha256; cv=none;
	b=kOaMPxZPDfNc/7FuRSlzQyXUFojhLK/gPzWymCyGrDtgq9DBbcraRtRFDoeuu7mnT+mrps
	ENQkbiMjtj01uKL1hHJSoLjkO2tLn91fu8tmdFaESWhRP/7SdFtx/DxB6OT14okTKaYvAy
	PY1je3RejKeUwQ7rWd8EP9BGegcSzBA6C+UANEy3UhNHC/iI/6Vl7dhIsjvLVfDFownAN4
	ZTPfKNWAuGV/ymttQBViNTiE0QMspWcRCO1KzdTrbcC4yf7ceLfKELiQAJ+JQXJbS8Lg9D
	ADBwbOZVXoDk+oUA9kQGKDGd2NJ4KYtwhx2ETt08BOQuDF+tsKTh0RHZG6jSlQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=dismail.de header.s=20190914 header.b=UpzMyhBj;
	dmarc=pass (policy=reject) header.from=dismail.de;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -4.64
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=dismail.de header.s=20190914 header.b=UpzMyhBj;
	dmarc=pass (policy=reject) header.from=dismail.de;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: CF5EA2AEFC
X-Spam-Score: -4.64
X-Migadu-Scanner: scn0.migadu.com
X-TUID: sxqifbROIQ0E

April 14, 2022 3:00 PM, "Development of GNU Guix and the GNU System distr=
ibution."=0A<guix-devel@gnu.org> wrote:=0A=0A> Mar 29, 2022, 10:15 by lud=
o@gnu.org:=0A> =0A>> Hi,=0A>> =0A>> Maxim Cournoyer <maxim.cournoyer@gmai=
l.com> skribis:=0A> =0A> Maxime Devos <maximedevos@telenet.be> writes:=0A=
>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]:=0A> =0A> * gcc can b=
e compiled with `--enable-default-ssp --enable-default-=0A> pie`=0A> to e=
nforce ssp and pic=0A>> You wrote [1]:=0A>> =0A>> --8<---------------cut =
here---------------start------------->8---=0A>> (define-public gcc=0A>> (=
package=0A>> (inherit gcc)=0A>> (arguments=0A>> (substitute-keyword-argum=
ents (package-arguments gcc)=0A>> ((#:configure-flags flags=0A>> `(append=
 (list "--enable-default-ssp" "--enable-default-pie")=0A>> ,flags)))))))=
=0A>> --8<---------------cut here---------------end--------------->8---=
=0A>> =0A>> I think it would be a lot simpler to just add this to the 'st=
andard'=0A>> gcc configure flags, in (gnu packages gcc), given that proba=
bly the=0A>> idea is to do this hardening for all packages? Needs a world=
-rebuild=0A>> though.=0A> =0A> +1. The whole distribution can probably be=
nefit from this hardening.=0A>> That=E2=80=99s something worth trying in =
a branch off =E2=80=98core-updates=E2=80=99.=0A>> =0A>> Stack smashing pr=
otection (SSP) may incur measurable run-time overhead=0A>> though so enab=
ling that one by default may be less consensual.=0A> =0A> We could do it =
like how NixOS does it [1]. There can be a `harden?` list in the build sy=
stem that=0A> contains a default set of flags. Packages that need to have=
 less hardening for performance or other=0A> reasons can modify that list=
. I believe this was discussed in an old email (not this thread).=0A=0AI =
like this idea.  I propose we make harden? default to #t.  That way pract=
ically most packages will be built with=0Ahardened features.  Let's face =
it, I am a bit lazy, if I submit a package to guix, I am usually going to=
 be it the easy way.  If the easy way is harden? #f, then that's is how I=
 will submit it.  :)=0A=0A> =0A>> There are other things that could be do=
ne in this area, often with no or=0A>> little overhead, such as building =
with -D_FORTIFY_SOURCE. Doing that=0A>> transparently (without changing b=
uild systems) is a bit of a challenge=0A>> though.=0A>> =0A>> Ludo=E2=80=
=99.=0A> =0A> Where and how should the default make and ldflags be set? I=
 guess they could be set in the=0A> build-system/*.scm.=0A> =0A> [1] http=
s://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html