[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Plan for Guix security (was Re: Long term plan for GuixSD security:
Re: Plan for Guix security (was Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support)
Sat, 05 Jan 2019 18:47:23 +0100
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Marius Bakke <address@hidden> skribis:
> Alex Vong <address@hidden> writes:
>> Besides, I remember we have discuss about hardening before. Should I
>> start a new hardening branch? (although I don't time to work on it right
>> now). I think this is something we can do now.
>> My idea is to create a new guix module (guix build hardening) which
>> should contains various build flags. Then we should modifiy each build
>> system to import from this new module and fix any build error caused by
>> it. We can ask the build farm to evaluate this new branch, right?
>> What do you think?
> Thank you for taking the initiative! This sounds great to me. I
> imagine the build systems could get an argument along the lines of
> #:hardening-flags '(pie fortify stack-protector ...).
> For gnu-build-system, I suppose we'd build up CFLAGS, LDFLAGS and
> friends? We'll also have to modify all packages that override those
Sounds like a plan. I think Alex proposed something along these lines
The difficulty will lie in finding a way to pass those flags reliably
through the build system…
|[Prev in Thread]
||[Next in Thread]|
- Re: Plan for Guix security (was Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support),
Ludovic Courtès <=