From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id EAvCGKEtQWJ72gAAgWs5BA (envelope-from ) for ; Mon, 28 Mar 2022 05:38:09 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id 6BkfFqEtQWLcFAEA9RJhRA (envelope-from ) for ; Mon, 28 Mar 2022 05:38:09 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 154DF2FE9B for ; Mon, 28 Mar 2022 05:38:09 +0200 (CEST) Received: from localhost ([::1]:58856 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nYftf-0003gs-Gm for larch@yhetil.org; Sun, 27 Mar 2022 23:18:23 -0400 Received: from eggs.gnu.org ([209.51.188.92]:48478) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nYftF-0003gi-4u for guix-devel@gnu.org; Sun, 27 Mar 2022 23:17:57 -0400 Received: from [2607:f8b0:4864:20::72b] (port=46728 helo=mail-qk1-x72b.google.com) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nYftD-0003Eu-L4 for guix-devel@gnu.org; Sun, 27 Mar 2022 23:17:56 -0400 Received: by mail-qk1-x72b.google.com with SMTP id r127so10431711qke.13 for ; Sun, 27 Mar 2022 20:17:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=2QhcWA5u2z52JaanTWDhdf4huOieNzpJDrodnkLBAW4=; b=YKEE8Y5xkap88sObiQfHLXCQGOddjQpjCdLzTzyCkW7Q2ZxrwnQND3jygRgMovK0qG OkKZkzRVzFdIei2CrhZB7YMnVNK3SYCYA2aHbxAd9NQ/U93CXTkR7ng5fdvuHwOw4xYI f2Fho8eYyIUN2WuYgcoOA6SLW6UDeTxlMYmbTzACFqICm/vg/LpFmShNsEkiUoY254BU a9xe+LF/T0wwusGVltzndCyn8rD64zudi6a54sMWvaqHGSpyYk8Pbqgm/OJF+00/hezu YxSjcIN1bT33D0sCn9RhI7NJOrfpNdY2si5EQjsOEBQtZFJUCCtHu8agG2U7fC53/lrT RF4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=2QhcWA5u2z52JaanTWDhdf4huOieNzpJDrodnkLBAW4=; b=x9SPwS77HFwjh917ybuyOXbwiLcE0pm7rDHaBA6lzG86Tnm4DXv143Pe8tSBCIKdcA Gxijo/KCYHPhym5NG32LkGZ/ziGrwQwnMEgJWS7y3b04hfhS+QGizrimri1ZXlVF5H32 +HCoJZ5JW/yOssUbp9djgnIJhk8fDY2hg9ZL7fRglOthVDipX7ktNVHRvFpFtNa82bQs MvTP6oqaXtIgcJnKJBrTg/49/p5OI1Fy7dBtnQqdrUG2Ny2iYEqDoZeQJgg9MFVMQJyj GjA7OCGn4tabXJ+3NNy7RHbm5onQOLHvSGUaElnITZeVqbXYxPIZNef9G+rNSl/PWVb7 0HYg== X-Gm-Message-State: AOAM5307bEUWDGXgqZyPmueQ13d8LovlyJidw4nl0jPDl0Y/fRCjqPTg owI3l9o/H+s02SfspE3VVu3Hcbd7jbM= X-Google-Smtp-Source: ABdhPJwmjmumW/uqLKc3Rau7QKgfWnrCjE/25HPzqp6/Zy7ByrqN1IRFziMCtttUl04PPv0bYktjhA== X-Received: by 2002:a37:b03:0:b0:67b:2b47:d09f with SMTP id 3-20020a370b03000000b0067b2b47d09fmr14557028qkl.621.1648437474278; Sun, 27 Mar 2022 20:17:54 -0700 (PDT) Received: from hurd (dsl-156-168.b2b2c.ca. [66.158.156.168]) by smtp.gmail.com with ESMTPSA id bk18-20020a05620a1a1200b00680c72b7bf4sm2826217qkb.93.2022.03.27.20.17.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 27 Mar 2022 20:17:53 -0700 (PDT) From: Maxim Cournoyer To: Maxime Devos Subject: Re: Hardened toolchain References: <874k3r8m4m.fsf@gmail.com> <8464b1bff3acb0a84f46ea6dcbbeaa7045b03d1c.camel@telenet.be> Date: Sun, 27 Mar 2022 23:17:52 -0400 In-Reply-To: <8464b1bff3acb0a84f46ea6dcbbeaa7045b03d1c.camel@telenet.be> (Maxime Devos's message of "Sun, 27 Mar 2022 22:22:20 +0200") Message-ID: <874k3iwysf.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Host-Lookup-Failed: Reverse DNS lookup failed for 2607:f8b0:4864:20::72b (failed) Received-SPF: pass client-ip=2607:f8b0:4864:20::72b; envelope-from=maxim.cournoyer@gmail.com; helo=mail-qk1-x72b.google.com X-Spam_score_int: -6 X-Spam_score: -0.7 X-Spam_bar: / X-Spam_report: (-0.7 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, PDS_HP_HELO_NORDNS=0.659, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org, kiasoc5@tutanota.com, zimoun Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1648438689; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=2QhcWA5u2z52JaanTWDhdf4huOieNzpJDrodnkLBAW4=; b=HEDSE5+alN0ZPRfNCoAGY/uZSGBybVCB+LciW7wBNO5nffwlo+VP2jTWG7Z4QFcv2fxdtZ TZpqI806TvORWTKf0oGHwZ2+TjNgd6cjtViCB155Mks1FDIaT1feiQonjWOG1K6akb7IzD h7ud/410ChFsf4CvKjuGafFUMeaJgQ3SeG/vPDbkTASTyKV9Cx9IfYeUaTEbwEApY6khH+ +d+Io9Ax98KqPIsgawKMkgmsu/ebPCVQdSPyJKcFxe/TsdiZ5qd+0YDmxaGdafFjwnXayc jST9nLhTgZpReVITLfwnPDK/f2/U2JUyRAwkEXUW7M6eoduPLvM6BY4J81khPA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1648438689; a=rsa-sha256; cv=none; b=XesI2y+mtxW3qC2lX9rK5h4iJjygQMstAn+vmhauHZjB1c0ZqK4aV3zwAT8h76QPnWur7I s0bltUeglkfiVYzI/IgaRmcHAAFwWtHjkClQ7wyGlWaBD8gTD4Bbv+fuHP+Kj/4JKpL5Xc rVKejP6/DPtylQ4wIluIVUhgA4t0ccUHJmLh4f/sT4IKR8dVs2OoYr84kNk0qqPpQaQ3/C adPmgWipwqZEWo88LEWa4rbnorA4pG+IKg/Q7ljHDK+7oNlks5HBcZHxOrelUbcpA8Q6nY 5B8ZoCtYb4xvebv9qMWdhcYIFvJJ9Z2xgLoPmt/FadZrJxrVwXEgxLn1grEttw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=YKEE8Y5x; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 7.63 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=YKEE8Y5x; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 154DF2FE9B X-Spam-Score: 7.63 X-Migadu-Scanner: scn1.migadu.com X-TUID: LbxLadeM+egC Hi, Maxime Devos writes: > zimoun schreef op ma 21-03-2022 om 14:34 [+0100]: >> > * gcc can be compiled with `--enable-default-ssp --enable-default- >> > pie` >> > to enforce ssp and pic >>=20 >> You wrote [1]: >>=20 >> --8<---------------cut here---------------start------------->8--- >> (define-public gcc >> =C2=A0 (package >> =C2=A0=C2=A0=C2=A0 (inherit gcc) >> =C2=A0=C2=A0=C2=A0 (arguments >> =C2=A0=C2=A0=C2=A0=C2=A0 (substitute-keyword-arguments (package-argument= s gcc) >> =C2=A0=C2=A0=C2=A0=C2=A0 ((#:configure-flags flags >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 `(append (list "--enable-default-ss= p" "--enable-default-pie") >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 ,flag= s))))))) >> --8<---------------cut here---------------end--------------->8--- > > I think it would be a lot simpler to just add this to the 'standard' > gcc configure flags, in (gnu packages gcc), given that probably the > idea is to do this hardening for all packages? Needs a world-rebuild > though. +1. The whole distribution can probably benefit from this hardening. Maxim