Let's keep this thread as the thread to discuss possible solutions and work
in that field.
Yesterday Marius wrote on IRC
(https://gnunet.org/bot/log/guix/2018-03-21#T1657250):
[] This is a pretty good article about build flags
(mainly hardening related):
https://developers
ng0 writes:
>> > The flags I use (suggested by Debian Wiki[0]) are:
>> >
>> > CPPFLAGS=-D_FORTIFY_SOURCE=2
>>
>> How does this differ from "-O2 -D_FORTIFY_SOURCE" in CFLAGS?
>> I know O2 is optimization and that FORTIFY_SOURCE requires optimization
>> to be specified.
>
> Okay, I've read some
Ricardo Wurmus transcribed 486 bytes:
>
> ng0 writes:
>
> >> > The flags I use (suggested by Debian Wiki[0]) are:
> >> >
> >> > CPPFLAGS=-D_FORTIFY_SOURCE=2
> >>
> >> How does this differ from "-O2 -D_FORTIFY_SOURCE" in CFLAGS?
> >> I know O2 is optimization and that FORTIFY_SOURCE requires op
ng0 transcribed 1.6K bytes:
> Alex Vong transcribed 1.3K bytes:
> > Hello,
> >
> > n...@n0.is writes:
> >
> > > Hi,
> > >
> > > as we've long talked and not really taken action on hardening builds
> > > I've started working on an opt-in way as last discussed in
> > > september 2016, modifying the
Alex Vong transcribed 1.3K bytes:
> Hello,
>
> n...@n0.is writes:
>
> > Hi,
> >
> > as we've long talked and not really taken action on hardening builds
> > I've started working on an opt-in way as last discussed in
> > september 2016, modifying the gnu-build-system with a
> > #:hardening-flags k
Hello,
n...@n0.is writes:
> Hi,
>
> as we've long talked and not really taken action on hardening builds
> I've started working on an opt-in way as last discussed in
> september 2016, modifying the gnu-build-system with a
> #:hardening-flags keyword.
>
> For my testing purposes I will use
>
>> CF
Hi,
On Mon, 29 Jan 2018, Joshua Branson wrote:
> Is this something anyone can start using now? Like I can modify my
> config.scm file somehow and start enjoying a hardened guix?
Sorry to disappoint you, I'd like to have it usable also right
now :) But: no. This takes some time and testing. I'l
Is this something anyone can start using now? Like I can modify my config.scm
file somehow and start enjoying a hardened guix?
On Mon, Jan 29, 2018, at 4:44 AM, n...@n0.is wrote:
> Hi,
>
> as we've long talked and not really taken action on hardening builds
> I've started working on an opt-in w
ng0 writes:
> Ludovic Courtès writes:
>
>> Hi!
>>
>> ng0 skribis:
>>
>>> For starters, I think we could have an "hardened-wip" branch on
>>> savannah (I can't commit anyway directly) and that we can target
>>> SELinux for now, look at Hardened-gentoo and other systems how
>>> they solve issues.
Ludovic Courtès writes:
> Hi!
>
> ng0 skribis:
>
>> For starters, I think we could have an "hardened-wip" branch on
>> savannah (I can't commit anyway directly) and that we can target
>> SELinux for now, look at Hardened-gentoo and other systems how
>> they solve issues. Afterwards we need to a
Hi!
ng0 skribis:
> For starters, I think we could have an "hardened-wip" branch on
> savannah (I can't commit anyway directly) and that we can target
> SELinux for now, look at Hardened-gentoo and other systems how
> they solve issues. Afterwards we need to address the toolchain
> level, which
Ricardo Wurmus writes:
> Leo Famulari writes:
>
>> On Tue, Jan 24, 2017 at 08:56:48PM +, ng0 wrote:
>>> Leo Famulari writes:
>>> > Should we build Tor with "--enable-expensive-hardening"?
>>>
>>> I will take a look later what can be applied other than the
>>> default configure flags.
>>>
>>
Leo Famulari writes:
> On Tue, Jan 24, 2017 at 08:56:48PM +, ng0 wrote:
>> Leo Famulari writes:
>> > Should we build Tor with "--enable-expensive-hardening"?
>>
>> I will take a look later what can be applied other than the
>> default configure flags.
>>
>> I'm all for hardening, but it see
ng0 writes:
> Leo Famulari writes:
>
>> On Tue, Jan 24, 2017 at 09:18:55PM +, ng0 wrote:
>>> ng0 writes:
>>> > Leo Famulari writes:
>>> >>> It would be great to see some movement on this during this
>>> >>> year. I volunteer to help with it, though I don't have as much
>>> >>> experience w
Leo Famulari writes:
> On Tue, Jan 24, 2017 at 09:18:55PM +, ng0 wrote:
>> ng0 writes:
>> > Leo Famulari writes:
>> >>> It would be great to see some movement on this during this
>> >>> year. I volunteer to help with it, though I don't have as much
>> >>> experience with SELinux (and only b
On Tue, Jan 24, 2017 at 09:18:55PM +, ng0 wrote:
> ng0 writes:
> > Leo Famulari writes:
> >>> It would be great to see some movement on this during this
> >>> year. I volunteer to help with it, though I don't have as much
> >>> experience with SELinux (and only basic experience with
> >>> GrS
ng0 writes:
> Leo Famulari writes:
>
>> On Tue, Jan 24, 2017 at 08:56:48PM +, ng0 wrote:
>>> Leo Famulari writes:
>>> > Should we build Tor with "--enable-expensive-hardening"?
>>>
>>> I will take a look later what can be applied other than the
>>> default configure flags.
>>>
>>> I'm all
Leo Famulari writes:
> On Tue, Jan 24, 2017 at 08:56:48PM +, ng0 wrote:
>> Leo Famulari writes:
>> > Should we build Tor with "--enable-expensive-hardening"?
>>
>> I will take a look later what can be applied other than the
>> default configure flags.
>>
>> I'm all for hardening, but it se
On Tue, Jan 24, 2017 at 08:56:48PM +, ng0 wrote:
> Leo Famulari writes:
> > Should we build Tor with "--enable-expensive-hardening"?
>
> I will take a look later what can be applied other than the
> default configure flags.
>
> I'm all for hardening, but it seems that the first basic ideas
>
Ludovic Courtès writes:
> Leo Famulari skribis:
>
>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>>> Alex Vong skribis:
>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>>> > matches are found. It appears no packages are setting this flag
>>> > c
Leo Famulari skribis:
> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>> Alex Vong skribis:
>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>> > matches are found. It appears no packages are setting this flag
>> > currently. I think this flag (perha
ng0 writes:
> Alex Vong writes:
>
>> Hi,
>>
>> Wow, this was long time ago. I've forgot this completely.
>>
>> Ricardo Wurmus writes:
>>
>>> Leo Famulari writes:
>>>
On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
> Alex Vong skribis:
> > Yes, I grep for `fstack-
ng0 writes:
> Alex Vong writes:
>
>> Hi,
>>
>> Wow, this was long time ago. I've forgot this completely.
>>
>> Ricardo Wurmus writes:
>>
>>> Leo Famulari writes:
>>>
On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
> Alex Vong skribis:
> > Yes, I grep for `fstack-
Alex Vong writes:
> Hi,
>
> Wow, this was long time ago. I've forgot this completely.
>
> Ricardo Wurmus writes:
>
>> Leo Famulari writes:
>>
>>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
Alex Vong skribis:
> Yes, I grep for `fstack-protector-strong' in the gui
Hi,
Wow, this was long time ago. I've forgot this completely.
Ricardo Wurmus writes:
> Leo Famulari writes:
>
>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>>> Alex Vong skribis:
>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>>> > matches a
Leo Famulari writes:
> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>> Alex Vong skribis:
>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>> > matches are found. It appears no packages are setting this flag
>> > currently. I think this flag (perha
On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
> Alex Vong skribis:
> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
> > matches are found. It appears no packages are setting this flag
> > currently. I think this flag (perhaps also a couple others) shoul
27 matches
Mail list logo
