Hi Martin, 2014-04-16 14:53 GMT+02:00 Martin Wuertele <mar...@wuertele.net>: > * Balint Reczey <bal...@balintreczey.hu> [2014-04-15 12:01]: > > (...) > >> My proposal for serving those security-focused users is introducing a >> new architecture targeting amd64 hardware, but with more security >> related C/C++ features turned on for every package (currently hardening >> has to be enabled by the maintainers in some way) through compiler flags >> as a start. >> >> Introducing the new architecture would also let package maintainers >> enabling additional dependencies and build rules selectively for the new >> architecture improving the security further. On the users' side the >> advantage of having a separate security enhanced architecture instead of >> a Debian derivative is the potential of installing a set of security >> enhanced packages using multiarch [6]. You could have a fast amd64 >> installation as a base and run Apache or any other sensitive server from >> the amd64-hardened packages! >> >> ----- >> >> What do you think? Would adding a new arch be feasible and a good solution? > > Why is it not feasable to provide additional -hardened packages? With > that it would be possible to provide hardened versions of packages on > other archs as well. Providing -hardened packages on a per -package basis is certainly doable, but it would not scale IMO to useful level. With the proposed multiarch based method one would be pick a binary and all of the library dependencies from the hardened arch from top to bottom.
In case of providing -hardened binary packages for amd64 to achieve the same results we would have to wait for all library packagers to provide -hardened versions and even a single developer not having time could block the goal. Managing the dependencies between -hardened and normal libraries seem to be a complex problem which I would like to avoid. Cheers, Balint -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cak0odpytg9u4dkacrebbstk3_a3jjtzvvkmhkwsznnzemjq...@mail.gmail.com
