On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote: > Alex Vong <alexvong1...@gmail.com> skribis: > > Yes, I grep for `fstack-protector-strong' in the guix code base and no > > matches are found. It appears no packages are setting this flag > > currently. I think this flag (perhaps also a couple others) should be > > set by default since they help protect against buffer overflow > > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>. > > I definitely agree, that’s something I’ve been wanting to try out. > > The question is more how. Do we change the default #:configure-flags > for ‘gnu-build-system’ to something like: > > '("CPPFLAGS=-D_FORTIFY_SOURCE=2" > "CFLAGS=-O2 -g -fstack-protector-strong") > > ? > > That sounds like a good starting point, but I expect that (1) one third > of the packages will fail to build, and (2) another third of the > packages will not get these flags, for instance because they pass their > own #:configure-flags. > > IOW, it will take a whole rebuild to find out exactly what’s going on > and to fix any issues. > > Would you like to start working on it? Then we could create a branch, > have Hydra build it, and incrementally fix things.
We should pick this project back up. I was suprised to find we haven't done anything like this after reading this recent blog post about Nix's hardening effort: https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter