[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Plan for Guix security (was Re: Long term plan for GuixSD security:
Re: Plan for Guix security (was Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support)
Wed, 26 Dec 2018 14:42:03 +0100
Notmuch/0.28 (https://notmuchmail.org) Emacs/26.1 (x86_64-pc-linux-gnu)
Alex Vong <address@hidden> writes:
> Besides, I remember we have discuss about hardening before. Should I
> start a new hardening branch? (although I don't time to work on it right
> now). I think this is something we can do now.
> My idea is to create a new guix module (guix build hardening) which
> should contains various build flags. Then we should modifiy each build
> system to import from this new module and fix any build error caused by
> it. We can ask the build farm to evaluate this new branch, right?
> What do you think?
Thank you for taking the initiative! This sounds great to me. I
imagine the build systems could get an argument along the lines of
#:hardening-flags '(pie fortify stack-protector ...).
For gnu-build-system, I suppose we'd build up CFLAGS, LDFLAGS and
friends? We'll also have to modify all packages that override those
Description: PGP signature