* Re: [gentoo-dev] Moving more hardening features to default?
@ 2011-10-20 10:40 99% ` Anthony G. Basile
0 siblings, 0 replies; 1+ results
From: Anthony G. Basile @ 2011-10-20 10:40 UTC (permalink / raw
To: gentoo-dev
On 10/20/2011 04:47 AM, "Paweł Hajdan, Jr." wrote:
> I've noticed
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e.
> Debian is starting to make more and more hardening features default, at
> least for most packages.
>
> Should we start doing that too? What are possible problems with that? It
> seems like it's mostly about USE=hardened, right?
>
> I've noticed that several binary drivers like nvidia-drivers are masked
> on hardened - is it a problem with hardened-sources, or with hardened
> toolchain?
>
The nvidia-driver problem is due to PaX in the kernel, so its
hardened-sources.
USE=hardened refers to only toolchain hardening. The problems there are
mostly packages which break with PIE because they (ab)use assembly.
Things like virtualbox and some codecs. This can become a thorny mess.
It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2
and ssp into mainstream though. Packages which break because of either
of those two features are broken and should be fixed anyhow.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2011-10-20 8:47 [gentoo-dev] Moving more hardening features to default? "Paweł Hajdan, Jr."
2011-10-20 10:40 99% ` Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox