F22 System Wide Change: Harden all packages with position-independent code
Francisco Alonso
rs at revskills.cz
Sat Jan 10 16:21:21 UTC 2015
Hi,
I've been testing in advance to make mass rebuilds changing macros and the
results are pretty good (I mean x86_64 f20, f21 + grsecurity custom
kernels). It is clear that we will find regressions, we just have to start
and test it.. It is an important and necessary change.
If anyone is interested would be important to look at uClibc and musl
(Alpine Linux is based in this one).
http://www.etalabs.net/compare_libcs.html
Note that other distributions are doing an excellent job in hardened
profiles like Gentoo or more actual OpenSuSe Gardened:
http://wiki.gentoo.org/wiki/Project:Hardened_musl
http://wiki.gentoo.org/wiki/Project:Hardened_uClibc
https://github.com/kdave/openSUSE-gardened/wiki/openSUSE-gardened
We have to work on mitigation rather than patching and trust not
responsible maintainers for some packages. This includes thinking seriously
about to have a kernel with grsecurity patches.
Cheers,
On Sat, Jan 10, 2015 at 4:19 PM, Peter Robinson <pbrobinson at gmail.com>
wrote:
> > On Thu, 2015-01-08 at 08:47 -0500, Paul Wouters wrote:
> >> On Thu, 8 Jan 2015, Dhiru Kholia wrote:
> >>
> >> >> | Your package accepts/processes untrusted input.
> >> >>
> >> >> This seems to be about every package that I use, because I most if
> not
> >> >> all tools process untrusted data from the Internet.
> >> >
> >> > +1. This view is rapidly gaining traction and visibility in recent
> times.
> >>
> >> Can we throw prelink out as well when we do this?
> >
> >
> > Prelink is already gone. We haven't been running it since F19, IIRC.
>
> It's not completely gone, there's still a number of packages that run
> it as part of the install or build process because I've had to fix
> ppc64le/aarchh64 package builds because we don't have it at all on
> those platforms. I think we also ship it by default.
>
> Peter
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
>
--
Francisco Alonso.
http://twitter.com/revskills
PGP: 0xE2E64DCA
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150110/c4f6715a/attachment.html>
More information about the devel
mailing list