List Archive: gentoo-security
Note: Due to technical difficulties, the Archives are currently not up to date.
provides an alternative service for most mailing lists.c.f. bug 424647
-----BEGIN PGP SIGNED MESSAGE-----
OK, there's too much arguing and not enough useful discussion going on
here. I suggest if you go through with this that you start with the
following in mind and build from there.
1. Protect daemons and chmod +s programs
For our purposes, let's define a daemon as any program which interacts
with (processes data from) non-root processes, including processes from
other machines. This would cover apache and ssh as well as anything
that happened to provide services to the local box through SysV IPC or
2. Use a FEATURES flag to implement
The FEATURES flag I've seen most suggested by persons other than me is
'autossp'. This flag should cause a portage command (such as
apply-autossp) to append -fstack-protector to CFLAGS. Optionally,
'autosspall' should apply -fstack-protector-all.
It's no secret that -fstack-protector-all breaks some programs that
- -fstack-protector doesn't (i.e. Firefox, Thunderbird, Mozilla). In case
of an 'autosspall' FEATURES flag and broken daemons, the 'apply-autossp
no-all' command could tell apply-autossp to use -fstack-protector and
3. Is this on by default?
It's believed by some of us, me included, to be sane to implement
'autossp' by default. Personally, I'm against -fstack-protector-all
('autosspall') by default; others may disagree. I do not have a strong
understanding of the difference between -fstack-protector and -all; I
know what they technically do, but not what the extra instrumentation
code generated with -all will actually gain you. Others know more than I.
Remember that if this is on by defaut, any user can add "-autossp" to
FEATURES in make.conf. If it's genuinely harmless (I believe it is),
there's really no point in making the user explicitely enable it.
firstname.lastname@example.org mailing list
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
email@example.com mailing list