From mboxrd@z Thu Jan  1 00:00:00 1970
From: ng0@n0.is
Subject: Re: hardening
Date: Mon, 29 Jan 2018 20:55:45 +0000
Message-ID: <878tcgl6zy.fsf@abyayala.i-did-not-set--mail-host-address--so-tickle-me>
References: <87a7wwesx2.fsf@abyayala.i-did-not-set--mail-host-address--so-tickle-me>
	<1517253693.1849044.1252215808.688B23B5@webmail.messagingengine.com>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:42313)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <ng0@n0.is>)
	id 1egGTA-0007DJ-2m
	for guix-devel@gnu.org; Mon, 29 Jan 2018 15:56:03 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ng0@n0.is>) id 1egGT4-0006kW-Lm
	for guix-devel@gnu.org; Mon, 29 Jan 2018 15:56:00 -0500
Received: from aibo.runbox.com ([91.220.196.211]:56190)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <ng0@n0.is>) id 1egGT4-0006k2-ET
	for guix-devel@gnu.org; Mon, 29 Jan 2018 15:55:54 -0500
Received: from [10.9.9.212] (helo=mailfront12.runbox.com)
	by mailtransmit03.runbox with esmtp (Exim 4.86_2)
	(envelope-from <ng0@n0.is>) id 1egGT2-0004hd-CE
	for guix-devel@gnu.org; Mon, 29 Jan 2018 21:55:52 +0100
Received: from dslb-092-073-177-142.092.073.pools.vodafone-ip.de
	([92.73.177.142] helo=localhost)
	by mailfront12.runbox.com with esmtpsa (uid:892961 )
	(TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1egGSu-0007j6-Gx
	for guix-devel@gnu.org; Mon, 29 Jan 2018 21:55:44 +0100
In-Reply-To: <1517253693.1849044.1252215808.688B23B5@webmail.messagingengine.com>
	(Joshua Branson's message of "Mon, 29 Jan 2018 11:21:33 -0800")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org

Hi,

On Mon, 29 Jan 2018, Joshua Branson <jbranso@fastmail.com> wrote:
> Is this something anyone can start using now?  Like I can modify my config.scm file somehow and start enjoying a hardened guix?

Sorry to disappoint you, I'd like to have it usable also right
now :) But: no. This takes some time and testing. I'll send
patches as soon as I have something to go with, today I only had
breakage on the bootstrap level ;)

> On Mon, Jan 29, 2018, at 4:44 AM, ng0@n0.is wrote:
>> Hi,
>> 
>> as we've long talked and not really taken action on hardening builds
>> I've started working on an opt-in way as last discussed in
>> september 2016, modifying the gnu-build-system with a
>> #:hardening-flags keyword.
>> 
>> For my testing purposes I will use
>> 
>> > CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"
>> 
>> which is used by Gentoo, but adjustments (wether to opt-in or
>> opt-out) will be made.
>> -- 
>> ng0 :: https://ea.n0.is
>> A88C8ADD129828D7EAC02E52E22F9BBFEE348588 :: https://ea.n0.is/keys/
>> 
>
>

-- 
ng0 :: https://ea.n0.is
A88C8ADD129828D7EAC02E52E22F9BBFEE348588 :: https://ea.n0.is/keys/