1 |
On 10/20/2011 04:47 AM, "Paweł Hajdan, Jr." wrote: |
2 |
> I've noticed |
3 |
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e. |
4 |
> Debian is starting to make more and more hardening features default, at |
5 |
> least for most packages. |
6 |
> |
7 |
> Should we start doing that too? What are possible problems with that? It |
8 |
> seems like it's mostly about USE=hardened, right? |
9 |
> |
10 |
> I've noticed that several binary drivers like nvidia-drivers are masked |
11 |
> on hardened - is it a problem with hardened-sources, or with hardened |
12 |
> toolchain? |
13 |
> |
14 |
The nvidia-driver problem is due to PaX in the kernel, so its |
15 |
hardened-sources. |
16 |
|
17 |
USE=hardened refers to only toolchain hardening. The problems there are |
18 |
mostly packages which break with PIE because they (ab)use assembly. |
19 |
Things like virtualbox and some codecs. This can become a thorny mess. |
20 |
|
21 |
It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2 |
22 |
and ssp into mainstream though. Packages which break because of either |
23 |
of those two features are broken and should be fixed anyhow. |
24 |
|
25 |
-- |
26 |
Anthony G. Basile, Ph.D. |
27 |
Gentoo Linux Developer [Hardened] |
28 |
E-Mail : blueness@g.o |
29 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
30 |
GnuPG ID : D0455535 |