Expanding the list of "Hardened Packages"

Dhiru Kholia dhiru.kholia at gmail.com
Fri Mar 29 16:38:37 UTC 2013


This proposal was originally at https://fedorahosted.org/fesco/ticket/1104

(mitr asked me to move the discussion to fedora-devel to get more
attention and feedback)


http://fedoraproject.org/wiki/Hardened_Packages page mentions
that "FESCo requires some packages to use PIE and relro hardening by

It would be great if this list could be expanded to include even more
packages which are at comparatively more risk of being exploited (locally
or remotely).

Such packages will typically include various system daemons, network
daemons and network enabled applications.

Lot of network daemons are already using PIE and RELRO (e.g. httpd,
MariaDB). So a natural question is why packages in same "network
daemons" class like PostgreSQL, Dovecot and MongoDB aren't being

Some of the ways to implement this proposal are,

1. Hardening flags should be turned on (by default) for all packages
which are at comparatively more risk of being exploited or which meet
some well-defined criteria (suggestions welcome).

"Packaging Guidelines" say that "Other packages may enable the flags at
the maintainer's discretion."

Thinking from a security perspective, I find "Hardening flags can only
be disabled for other packages at the maintainer's discretion provided
enough justification is given to FESCo" to be more appropriate.

2. An alternate approach is to come up with an expanded list of packages
which should be hardened.

Any feedback is welcome!


More information about the devel mailing list