From mboxrd@z Thu Jan  1 00:00:00 1970
From: Marius Bakke <mbakke@fastmail.com>
Subject: Re: Plan for Guix security (was Re: Long term plan for GuixSD
	security: microkernels, ocap, RISC-V support)
Date: Wed, 26 Dec 2018 14:42:03 +0100
Message-ID: <87muos8kwk.fsf@fastmail.com>
References: <87d0u9s1x0.fsf@dustycloud.org> <877efxp8xs.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([208.118.235.92]:32951)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1gc9Rp-00083p-Pm
	for guix-devel@gnu.org; Wed, 26 Dec 2018 08:42:10 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <mbakke@fastmail.com>) id 1gc9Rm-0006j4-J1
	for guix-devel@gnu.org; Wed, 26 Dec 2018 08:42:09 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:33075)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
	(Exim 4.71) (envelope-from <mbakke@fastmail.com>) id 1gc9Rm-0006it-AW
	for guix-devel@gnu.org; Wed, 26 Dec 2018 08:42:06 -0500
In-Reply-To: <877efxp8xs.fsf@gmail.com>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Alex Vong <alexvong1995@gmail.com>, Christopher Lemmer Webber <cwebber@dustycloud.org>
Cc: guix-devel@gnu.org

--=-=-=
Content-Type: text/plain

Hello!

Alex Vong <alexvong1995@gmail.com> writes:

> Besides, I remember we have discuss about hardening before. Should I
> start a new hardening branch? (although I don't time to work on it right
> now). I think this is something we can do now.
>
> My idea is to create a new guix module (guix build hardening) which
> should contains various build flags. Then we should modifiy each build
> system to import from this new module and fix any build error caused by
> it. We can ask the build farm to evaluate this new branch, right?
>
>
> What do you think?

Thank you for taking the initiative!  This sounds great to me.  I
imagine the build systems could get an argument along the lines of
#:hardening-flags '(pie fortify stack-protector ...).

For gnu-build-system, I suppose we'd build up CFLAGS, LDFLAGS and
friends?  We'll also have to modify all packages that override those
variables.

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEu7At3yzq9qgNHeZDoqBt8qM6VPoFAlwjhSsACgkQoqBt8qM6
VPoEfwf6A1+K5xChBQVU/yrg2bgPkTMdmp8lNOIupoXaNBkoeLuwuDg+DokxodFO
MyD6b8IyMTeT+iI6n9Ay02rmXIW/EXl9OexDa9VvLQJGAktUqEgQC6GCx2Gdt5YC
UA7eULC1CUtkMNuIVzWN2i0FVudk00dKemjNmwMm5gR8tJXOSZQly6FHDBr5lwoQ
0SmxMrjX5t53+tqmfsa34Pxle5ivssDzYDELtfdSIclhfhAAOMglgRYtFrjaeB43
m6B7XUaIQpgAEvuDB5VCyaJ8OdywSliZy/pujznMUFjt7zDwAa9jgq3xP4IM842P
8jItOQMqpE5CxOF+VBsMtPv35bhbUg==
=Rv/C
-----END PGP SIGNATURE-----
--=-=-=--