On Sat, 16 Apr 2022 00:04:37 +0800 Zhu Zihao <all_but_l...@163.com> wrote:
> > I like this idea. I propose we make harden? default to #t. That > > way practically most packages will be built with hardened features. > > Let's face it, I am a bit lazy, if I submit a package to guix, I am > > usually going to be it the easy way. If the easy way is harden? #f, > > then that's is how I will submit it. :) > > I suggest a build transform flag like `--hardened` for people who > wants a hardened software, just like `--tune` for SIMD instructions. People shouldn't have to take extra steps and burn extra CPU cycles for security. If I have to recompile everything to harden my system, I likely won't bother. Pretty much everyone benefits from hardening, but not everyone has the resources and know how to do it manually. Just choosing what to harden is already not a trivial question.
