* Balint Reczey <bal...@balintreczey.hu> [140415 12:01]: [..] > My proposal for serving those security-focused users is introducing a > new architecture targeting amd64 hardware, but with more security > related C/C++ features turned on for every package (currently hardening > has to be enabled by the maintainers in some way) through compiler flags > as a start. [..] > What do you think? Would adding a new arch be feasible and a good solution?
I think that as of today it would help more to fix various upstream build tools to actually honor the build flags we (using dpkg-buildflags) set. This would benefit both the regular architectures and any hypothetical hardened archs. Regarding a special hardened arch, I think on amd64 there's almost no benefit of making a seperate arch: just turn on all the hardening stuff in amd64, the hardware is fast enough to tolerate some slowdown as a tradeoff for better security. No ideas for/about the other archs. -- ,''`. Christian Hofstaedtler <z...@debian.org> : :' : Debian Developer `. `' 7D1A CFFA D9E0 806C 9C4C D392 5C13 D6DB 9305 2E03 `-
pgpnjPfVC7EW9.pgp
Description: PGP signature