April 14, 2022 3:00 PM, "Development of GNU Guix and the GNU System distribution." <guix-devel@gnu.org> wrote:
> Mar 29, 2022, 10:15 by l...@gnu.org: > >> Hi, >> >> Maxim Cournoyer <maxim.courno...@gmail.com> skribis: > > Maxime Devos <maximede...@telenet.be> writes: >> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]: > > * gcc can be compiled with `--enable-default-ssp --enable-default- > pie` > to enforce ssp and pic >> You wrote [1]: >> >> --8<---------------cut here---------------start------------->8--- >> (define-public gcc >> (package >> (inherit gcc) >> (arguments >> (substitute-keyword-arguments (package-arguments gcc) >> ((#:configure-flags flags >> `(append (list "--enable-default-ssp" "--enable-default-pie") >> ,flags))))))) >> --8<---------------cut here---------------end--------------->8--- >> >> I think it would be a lot simpler to just add this to the 'standard' >> gcc configure flags, in (gnu packages gcc), given that probably the >> idea is to do this hardening for all packages? Needs a world-rebuild >> though. > > +1. The whole distribution can probably benefit from this hardening. >> That’s something worth trying in a branch off ‘core-updates’. >> >> Stack smashing protection (SSP) may incur measurable run-time overhead >> though so enabling that one by default may be less consensual. > > We could do it like how NixOS does it [1]. There can be a `harden?` list in > the build system that > contains a default set of flags. Packages that need to have less hardening > for performance or other > reasons can modify that list. I believe this was discussed in an old email > (not this thread). I like this idea. I propose we make harden? default to #t. That way practically most packages will be built with hardened features. Let's face it, I am a bit lazy, if I submit a package to guix, I am usually going to be it the easy way. If the easy way is harden? #f, then that's is how I will submit it. :) > >> There are other things that could be done in this area, often with no or >> little overhead, such as building with -D_FORTIFY_SOURCE. Doing that >> transparently (without changing build systems) is a bit of a challenge >> though. >> >> Ludo’. > > Where and how should the default make and ldflags be set? I guess they could > be set in the > build-system/*.scm. > > [1] https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html
