Let's keep this thread as the thread to discuss possible solutions and work in that field.
Yesterday Marius wrote on IRC (https://gnunet.org/bot/log/guix/2018-03-21#T1657250): [ ] <mbakke> This is a pretty good article about build flags (mainly hardening related): https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-... [ ] <mbakke> It would be great to have a "#:hardening?" option with additional provisions for specific flags. The link in full: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ Nix has an a functionality to disable hardening: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=harden&type= for example visible here: https://github.com/NixOS/nixpkgs/commit/f5b04628f00e98e4c757466ab6be2c125d89feeb I have some more notes on Gentoo I'll add next month. Food for thought: If we go all in, we might have to recompile the bootstrap binaries. keyword #:hardening-flags is a good entry for manually fixing packages up to the point where they work with hardened flags. Caveat is, not everything will work good or even at all with hardened-flags and toolchain. So we are presented with 2 options. 1) Selectively harden what is possible through the keyword mentioned above or 2) harden by default and switch off flags through something like #:hardening-exclude which would default to the empty list and otherwise would remove the elements in its list from the list of flags. Further thoughts: #:hardened? could be a simple check so that having package-graphs which are not hardened are possible. We would default to #t, off would be #f obviously. My work in progress so far is to work this into the gnu-build-system, which seemed like a good starting point. I'm in favor of option 2 coupled with the keyword to disable hardening altogether. WDYT? -- A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://n0.is
