Leo Famulari <l...@famulari.name> writes: > On Tue, Jan 24, 2017 at 08:56:48PM +0000, ng0 wrote: >> Leo Famulari <l...@famulari.name> writes: >> > Should we build Tor with "--enable-expensive-hardening"? >> >> I will take a look later what can be applied other than the >> default configure flags. >> >> I'm all for hardening, but it seems that the first basic ideas >> for Guix are stuck in the idea state. > > As far as I can tell, --enable-expensive-hardening is specific to Tor, > so it's not relevant to the project of hardening all Guix packages.
Yes. I'm building this change right now: + (arguments + `(#:configure-flags (list "--enable-expensive-hardening" + "--enable-gcc-hardening" + "--enable-linker-hardening"))) Taken from Gentoo, I trust their hardening project to debug and discover good usage. >> It would be great to see some movement on this during this >> year. I volunteer to help with it, though I don't have as much >> experience with SELinux (and only basic experience with >> GrSecurity without a modular kernel like GuixSD uses). > > Yes, this effort needs a champion. -- ♥Ⓐ ng0 -- https://www.inventati.org/patternsinthechaos/