all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: ng0 <contact.ng0@cryptolab.net>
To: guix-devel@gnu.org
Subject: Re: Hardening (was: Re: tor: update to 0.2.9.9)
Date: Tue, 24 Jan 2017 21:18:55 +0000	[thread overview]
Message-ID: <8760l42m2o.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me> (raw)
In-Reply-To: <878tq02mij.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me>

ng0 <contact.ng0@cryptolab.net> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Tue, Jan 24, 2017 at 08:56:48PM +0000, ng0 wrote:
>>> Leo Famulari <leo@famulari.name> writes:
>>> > Should we build Tor with "--enable-expensive-hardening"?
>>> 
>>> I will take a look later what can be applied other than the
>>> default configure flags.
>>> 
>>> I'm all for hardening, but it seems that the first basic ideas
>>> for Guix are stuck in the idea state.
>>
>> As far as I can tell, --enable-expensive-hardening is specific to Tor,
>> so it's not relevant to the project of hardening all Guix packages.
>
> Yes.
>
> I'm building this change right now:
>
> +    (arguments
> +     `(#:configure-flags (list "--enable-expensive-hardening"
> +                               "--enable-gcc-hardening"
> +                               "--enable-linker-hardening")))
>
> Taken from Gentoo, I trust their hardening project to debug and
> discover good usage.
>
>>> It would be great to see some movement on this during this
>>> year. I volunteer to help with it, though I don't have as much
>>> experience with SELinux (and only basic experience with
>>> GrSecurity without a modular kernel like GuixSD uses).
>>
>> Yes, this effort needs a champion.

No, I would say this needs an effort of more than one person. At
best a team of people who either are willing to learn about
system hardening or already know enough, maybe even a combination
of both to share knowledge :)

-- 
♥Ⓐ  ng0 -- https://www.inventati.org/patternsinthechaos/

  reply	other threads:[~2017-01-24 21:17 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-01-24 11:19 tor: update to 0.2.9.9 contact.ng0
2017-01-24 11:19 ` [PATCH] gnu: tor: Update " contact.ng0
2017-01-24 19:06   ` Leo Famulari
2017-01-24 19:07 ` tor: update " Leo Famulari
2017-01-24 20:56   ` Hardening (was: Re: tor: update to 0.2.9.9) ng0
2017-01-24 21:02     ` Leo Famulari
2017-01-24 21:09       ` ng0
2017-01-24 21:18         ` ng0 [this message]
2017-01-24 21:32           ` Leo Famulari
2017-01-24 21:56             ` ng0
2017-01-24 22:14               ` ng0
2017-01-25 13:04               ` Hardening Ludovic Courtès
2017-01-30 12:05                 ` Hardening ng0
2017-01-30 12:16                   ` Hardening ng0
2017-01-25  9:09       ` Hardening (was: Re: tor: update to 0.2.9.9) Ricardo Wurmus
2017-01-25 11:51         ` Hardening ng0

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8760l42m2o.fsf@wasp.i-did-not-set--mail-host-address--so-tickle-me \
    --to=contact.ng0@cryptolab.net \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.