public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* Re: [gentoo-dev] Moving more hardening features to default?
  @ 2011-10-20 10:40 99% ` Anthony G. Basile
  0 siblings, 0 replies; 1+ results
From: Anthony G. Basile @ 2011-10-20 10:40 UTC (permalink / raw
  To: gentoo-dev

On 10/20/2011 04:47 AM, "Paweł Hajdan, Jr." wrote:
> I've noticed
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e.
> Debian is starting to make more and more hardening features default, at
> least for most packages.
>
> Should we start doing that too? What are possible problems with that? It
> seems like it's mostly about USE=hardened, right?
>
> I've noticed that several binary drivers like nvidia-drivers are masked
> on hardened - is it a problem with hardened-sources, or with hardened
> toolchain?
>
 The nvidia-driver problem is due to PaX in the kernel, so its
hardened-sources.

USE=hardened refers to only toolchain hardening.  The problems there are
mostly packages which break with PIE because they (ab)use assembly. 
Things like virtualbox and some codecs.  This can become a thorny mess.

It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2
and ssp into mainstream though.  Packages which break because of either
of those two features are broken and should be fixed anyhow.

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535




^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2011-10-20  8:47     [gentoo-dev] Moving more hardening features to default? "Paweł Hajdan, Jr."
2011-10-20 10:40 99% ` Anthony G. Basile

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox