On Mon, Apr 20, 2020 at 04:21:59PM +0200, Marcin Wojtas wrote: > Hi Ed, > > pt., 17 kwi 2020 o 15:52 Ed Maste <ema...@freebsd.org> napisa??(a): > > > > On Fri, 17 Apr 2020 at 08:58, Marcin Wojtas <m...@semihalf.com> wrote: > > > > > > Hi, > > > > > > Together with our customers, Semihalf is interested in improving the > > > status > > > of security mitigations enablement in FreeBSD. > > > > Happy to hear that there's interest in this work! > > > > > 1. Are there any hard blockers, like missing features or bugs, that > > > prevent > > > enabling ASLR by default in the kernel and building the base system with > > > -DWITH_PIE? > > > > I believe there are no showstopper issues but there are a some > > prerequisites. One is that there are some applications that may > > misbehave with randomization enabled. They would need to be > > identified, and tagged (with the elfctl tool now in the base system). > > I was thinking if it is possible to come up with such wide test > coverage to test every single application from the base system. Do you > think it is achievable or should we rather follow the approach to do > as many tests as possible, but rely on the community feedback to catch > the corner cases (like the ntpd issue mentioned in this thread)? > What about the ports?
If we gate on full testing we'll never move forward. We had a GSoC project a few years ago to try to generate lame tests for each program, if someone picked that up, we could get better coverage fairly quickly, but it would still be far from complete. Our best bet is probably to make it easy for people to test and to try and recruit testers in the community (this is especially true for ports). -- Brooks
signature.asc
Description: PGP signature
