From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Subject: Re: Plan for Guix security (was Re: Long term plan for GuixSD
	security: microkernels, ocap, RISC-V support)
Date: Sat, 05 Jan 2019 18:47:23 +0100
Message-ID: <87k1jj2dzo.fsf@gnu.org>
References: <87d0u9s1x0.fsf@dustycloud.org> <877efxp8xs.fsf@gmail.com>
	<87muos8kwk.fsf@fastmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggsout.gnu.org ([209.51.188.92]:53512 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1gfq2g-0004vH-Od
	for guix-devel@gnu.org; Sat, 05 Jan 2019 12:47:27 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1gfq2g-0002c7-1O
	for guix-devel@gnu.org; Sat, 05 Jan 2019 12:47:26 -0500
Received: from hera.aquilenet.fr ([2a0c:e300::1]:39412)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <ludo@gnu.org>) id 1gfq2f-0002bh-SE
	for guix-devel@gnu.org; Sat, 05 Jan 2019 12:47:25 -0500
In-Reply-To: <87muos8kwk.fsf@fastmail.com> (Marius Bakke's message of "Wed, 26
	Dec 2018 14:42:03 +0100")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Marius Bakke <mbakke@fastmail.com>
Cc: guix-devel@gnu.org

Hello,

Marius Bakke <mbakke@fastmail.com> skribis:

> Alex Vong <alexvong1995@gmail.com> writes:
>
>> Besides, I remember we have discuss about hardening before. Should I
>> start a new hardening branch? (although I don't time to work on it right
>> now). I think this is something we can do now.
>>
>> My idea is to create a new guix module (guix build hardening) which
>> should contains various build flags. Then we should modifiy each build
>> system to import from this new module and fix any build error caused by
>> it. We can ask the build farm to evaluate this new branch, right?
>>
>>
>> What do you think?
>
> Thank you for taking the initiative!  This sounds great to me.  I
> imagine the build systems could get an argument along the lines of
> #:hardening-flags '(pie fortify stack-protector ...).
>
> For gnu-build-system, I suppose we'd build up CFLAGS, LDFLAGS and
> friends?  We'll also have to modify all packages that override those
> variables.

Sounds like a plan.  I think Alex proposed something along these lines
long ago.

The difficulty will lie in finding a way to pass those flags reliably
through the build system=E2=80=A6

Ludo=E2=80=99.