[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Plan for Guix security (was Re: Long term plan for GuixSD security:

From: Ludovic Courtès
Subject: Re: Plan for Guix security (was Re: Long term plan for GuixSD security: microkernels, ocap, RISC-V support)
Date: Sat, 05 Jan 2019 18:47:23 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)


Marius Bakke <address@hidden> skribis:

> Alex Vong <address@hidden> writes:
>> Besides, I remember we have discuss about hardening before. Should I
>> start a new hardening branch? (although I don't time to work on it right
>> now). I think this is something we can do now.
>> My idea is to create a new guix module (guix build hardening) which
>> should contains various build flags. Then we should modifiy each build
>> system to import from this new module and fix any build error caused by
>> it. We can ask the build farm to evaluate this new branch, right?
>> What do you think?
> Thank you for taking the initiative!  This sounds great to me.  I
> imagine the build systems could get an argument along the lines of
> #:hardening-flags '(pie fortify stack-protector ...).
> For gnu-build-system, I suppose we'd build up CFLAGS, LDFLAGS and
> friends?  We'll also have to modify all packages that override those
> variables.

Sounds like a plan.  I think Alex proposed something along these lines
long ago.

The difficulty will lie in finding a way to pass those flags reliably
through the build system…


reply via email to

[Prev in Thread] Current Thread [Next in Thread]