On 03/29/13 at 08:47pm, Björn Persson wrote:
> 2. An alternate approach is to come up with an expanded list of
> which should be hardened.
Since FESCo maintains a list, I suppose anyone can propose specific
programs to be added to the list, but it seems pointless to explicitly
list programs that are already covered by the first three criteria.
I agree that it seems pointless (and tedious) to explicitly list
programs which are already covered.
However many packages (like PostgreSQL, Dovecot and MongoDB) meet the
criteria but still are not getting hardened. I am not sure about the
underlying reasons (oversight / performance concerns / etc.).
What would be a good way to solve this problem in your opinion?
(File bugs / Explicitly list such packages / Turn on hardening by default)
It would be great to have some sort of automated method to find if
hardening criteria applies to a particular package. Ideas are welcome!