| 1 |
On 10/20/2011 04:47 AM, "Paweł Hajdan, Jr." wrote: |
| 2 |
> I've noticed |
| 3 |
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e. |
| 4 |
> Debian is starting to make more and more hardening features default, at |
| 5 |
> least for most packages. |
| 6 |
> |
| 7 |
> Should we start doing that too? What are possible problems with that? It |
| 8 |
> seems like it's mostly about USE=hardened, right? |
| 9 |
> |
| 10 |
> I've noticed that several binary drivers like nvidia-drivers are masked |
| 11 |
> on hardened - is it a problem with hardened-sources, or with hardened |
| 12 |
> toolchain? |
| 13 |
> |
| 14 |
The nvidia-driver problem is due to PaX in the kernel, so its |
| 15 |
hardened-sources. |
| 16 |
|
| 17 |
USE=hardened refers to only toolchain hardening. The problems there are |
| 18 |
mostly packages which break with PIE because they (ab)use assembly. |
| 19 |
Things like virtualbox and some codecs. This can become a thorny mess. |
| 20 |
|
| 21 |
It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2 |
| 22 |
and ssp into mainstream though. Packages which break because of either |
| 23 |
of those two features are broken and should be fixed anyhow. |
| 24 |
|
| 25 |
-- |
| 26 |
Anthony G. Basile, Ph.D. |
| 27 |
Gentoo Linux Developer [Hardened] |
| 28 |
E-Mail : blueness@g.o |
| 29 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 30 |
GnuPG ID : D0455535 |
Archives