[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardening
|
From: |
ng0 |
|
Subject: |
Re: Hardening |
|
Date: |
Mon, 30 Jan 2017 12:05:35 +0000 |
Ludovic Courtès <address@hidden> writes:
> Hi!
>
> ng0 <address@hidden> skribis:
>
>> For starters, I think we could have an "hardened-wip" branch on
>> savannah (I can't commit anyway directly) and that we can target
>> SELinux for now, look at Hardened-gentoo and other systems how
>> they solve issues. Afterwards we need to address the toolchain
>> level, which to our advantage can be an make and break by hydra
>> and everyone who wants to contribute to fixing issues can run
>> their system from the hardening-toolchain-wip branch to
>> contribute to fixing all the breaking applications.
>>
>> Then we need to discuss wether we want to provide this by default
>> (my choice) OR if we want to offer a branch-choice model.
>> Supporting both vanilla and hardened might take some more burden
>> on fixing issues, that's why I'm all for forming a team of people
>> who work on this, and when they no longer want to, other people
>> join the rest of the old team, etc.
>
> Before creating a branch, I think we need a plan. :-)
>
> Alex Vong proposed ways to achieve it a while back:
>
> https://lists.gnu.org/archive/html/guix-devel/2015-12/msg00702.html
>
> I suggest taking a look at the discussion and starting from there.
Okay, I did and I don't see right now how this new (guix build
build-flags) module would be applied to the gnu build system for
example.
Would the (gnu build system) just use it somehow? I'd like to
test it, but I didn't write it.
I also would like to rename it to (guix build build-flags-glibc)
(or -gcc) as I want to see a point where we have more than just
glibc. We don't have to build them (the substitutes,packages) all
on hydra. musl and uclibc-ng can be without substitutes as long
as the means of distribution or diskspace are not working out for us.
And both can (and will) get hardened builds aswell.
> The best option is probably to start small (limited set of
> features/flags/options) and then incrementally improve that.
>
> Ludo’.
--
ng0 -- https://www.inventati.org/patternsinthechaos/
- Re: [PATCH] gnu: tor: Update to 0.2.9.9., (continued)
- Re: tor: update to 0.2.9.9, Leo Famulari, 2017/01/24
- Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), Leo Famulari, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), Leo Famulari, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening (was: Re: tor: update to 0.2.9.9), ng0, 2017/01/24
- Re: Hardening, Ludovic Courtès, 2017/01/25
- Re: Hardening,
ng0 <=
- Re: Hardening, ng0, 2017/01/30
- Re: Hardening (was: Re: tor: update to 0.2.9.9), Ricardo Wurmus, 2017/01/25
- Re: Hardening, ng0, 2017/01/25