On Tue, 05 Jan 2010, Michael Gilbert wrote:
On Wed, 6 Jan 2010 11:01:01 +0800 Paul Wise wrote:
On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook k...@debian.org wrote:
There is a maintained (by RedHat) patch for dealing with PIE. I already
It is perfectly reasonable to reject patches until
On Thu, 07 Jan 2010, Henrique de Moraes Holschuh wrote:
So, the question that needs an answer is: _why_ isn't it upstream yet?
And that has been answered in another part of this thread.
--
One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness
On Wed, Jan 6, 2010 at 12:37 PM, Kees Cook k...@debian.org wrote:
On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook k...@debian.org wrote:
There is a maintained (by RedHat) patch for dealing with PIE. I already
maintain a delta for this in
On Wed, Jan 6, 2010 at 4:28 PM, Paul Wise p...@debian.org wrote:
On Wed, Jan 6, 2010 at 12:37 PM, Kees Cook k...@debian.org wrote:
On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook k...@debian.org wrote:
There is a maintained (by RedHat)
On Tue, Jan 5, 2010 at 23:05:30 -0500, Michael Gilbert wrote:
Remember that item 4 of the social contract states that: Our
priorities are our users and free software.
Every time you say that, god kills a kitten. Please, think of the
kittens.
Cheers,
Julien
--
To UNSUBSCRIBE, email to
On Wed, Jan 06, 2010 at 10:00:55AM +, Julien Cristau wrote:
On Tue, Jan 5, 2010 at 23:05:30 -0500, Michael Gilbert wrote:
Remember that item 4 of the social contract states that: Our
priorities are our users and free software.
Every time you say that, god kills a kitten. Please,
On Jan 06, Julien Cristau jcris...@debian.org wrote:
Remember that item 4 of the social contract states that: Our
priorities are our users and free software.
Every time you say that, god kills a kitten. Please, think of the
kittens.
We need something like Godwin's law about it.
--
ciao,
On Wed, 06 Jan 2010 09:29:42 +0100, Paul Wise wrote:
Hmm, OK. I'm quite surprised Fedora carries so many[1] patches to GDB,
1. http://cvs.fedoraproject.org/viewvc/rpms/gdb/devel/
Temporarily current devel is:
http://cvs.fedoraproject.org/viewvc/rpms/gdb/F-12/
(but you are right 99%
On Wed, 06 Jan 2010 14:30:40 +0100, Marco d'Itri wrote:
On Jan 06, Julien Cristau jcris...@debian.org wrote:
Remember that item 4 of the social contract states that: Our
priorities are our users and free software.
Every time you say that, god kills a kitten. Please, think of the
On Wed, 2010-01-06 at 21:46 +0100, Jan Kratochvil wrote:
All the GDB patches/data I have available are public. All the expressed
opinions are my personal ones unrelated to Red Hat or even the Archer
project./disclaimer
Thanks for the detailed and extensive information and your work on GDB.
On Thu, Dec 24, 2009 at 12:23:01PM +0100, Stefan Fritsch wrote:
On Thu, 24 Dec 2009, Kees Cook wrote:
With the new package, the arch-specific logic for hardening defaults
is in one place, and a maintainer can selectively disable anything they
don't want on by default.
This might be a good
On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook k...@debian.org wrote:
There is a maintained (by RedHat) patch for dealing with PIE. I already
maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
the gdb maintainer doesn't want it until it's in upstream. I, obviously,
think
On Wed, 6 Jan 2010 11:01:01 +0800 Paul Wise wrote:
On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook k...@debian.org wrote:
There is a maintained (by RedHat) patch for dealing with PIE. I already
maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
the gdb maintainer doesn't
Hi,
On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook k...@debian.org wrote:
There is a maintained (by RedHat) patch for dealing with PIE. I already
maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
the gdb
On Sat, Dec 26, 2009 at 01:29:48AM +0100, Kurt Roeckx wrote:
On Tue, Oct 27, 2009 at 11:51:35PM +0100, Bastian Blank wrote:
What would be a step forward:
- Make any code PIC, including binaries (PIE) and static libs.
static libs would need to be PIE, not PIC.
The differences between PIC and
On Thu, 24 Dec 2009, Kees Cook wrote:
Anyway, I'd appreciate a bug report against amavisd-new with whatever
information is pertinent about PIE, if you guys want us to add it to the
package.
I already opened it in August when I added the patch for it in Ubuntu. :)
On Tue, Oct 27, 2009 at 11:51:35PM +0100, Bastian Blank wrote:
What would be a step forward:
[...]
- Make any code PIC, including binaries (PIE) and static libs.
static libs would need to be PIE, not PIC.
This is something that's not properly supported on all our arches.
Some people will also
[dropped debian-gcc from the CCs as this is probably rather off topic now]
Hi Petter,
On Mon, Dec 21, 2009 at 08:16:08AM +0100, Petter Reinholdtsen wrote:
[Kees Cook]
As an example, I have a debdiff against openssh to use it:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
With
On Thu, 24 Dec 2009, Kees Cook wrote:
With the new package, the arch-specific logic for hardening defaults
is in one place, and a maintainer can selectively disable anything they
don't want on by default.
This might be a good compromise to get network services hardened
without changing the
Kees Cook k...@debian.org writes:
And built with hardening-includes:
openbsd-inetd
tcpdump
--
Romain Francoise rfranco...@debian.org
http://people.debian.org/~rfrancoise/
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On Thu, 24 Dec 2009, Kees Cook wrote:
That's certainly a viable plan. This is kind of the approach we took in
Ubuntu for the PIE feature. We also considered packages with a less than
stellar security history. The list of packages built with PIE in Ubuntu
is: (see
Hi Henrique,
On Thu, Dec 24, 2009 at 03:25:32PM -0200, Henrique de Moraes Holschuh wrote:
On Thu, 24 Dec 2009, Kees Cook wrote:
That's certainly a viable plan. This is kind of the approach we took in
Ubuntu for the PIE feature. We also considered packages with a less than
stellar
Hi,
On Tue, Nov 24, 2009 at 09:38:41PM +0100, Moritz Muehlenhoff wrote:
On 2009-11-05, Kees Cook k...@debian.org wrote:
This would certainly be better than nothing, and better than the
hardening-wrapper package, but it would require that every package in
Debian be modified to respect
[Kees Cook]
As an example, I have a debdiff against openssh to use it:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
With the new package, the arch-specific logic for hardening defaults
is in one place, and a maintainer can selectively disable anything they
don't want on by
On 25.10.2009 19:55, Kees Cook wrote:
Hello,
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2]. Ubuntu has used it successfully for 1.5 years now (3 releases),
and many of the issues have already been fixed in packages that needed
adjustment[3]. After all this
On Sun, 2009-11-01 at 19:53 +0100, Matthias Klose wrote:
On 25.10.2009 19:55, Kees Cook wrote:
[...]
- makes more work for dealing with warnings.
Rebuttal: those warnings are there for a reason -- they can
be real security issues, and should be fixed.
Ben Hutchings, le Sun 01 Nov 2009 19:06:59 +, a écrit :
On Sun, 2009-11-01 at 19:53 +0100, Matthias Klose wrote:
On 25.10.2009 19:55, Kees Cook wrote:
[...]
- makes more work for dealing with warnings.
Rebuttal: those warnings are there for a reason -- they can
On Sun, Nov 01, 2009 at 08:10:44PM +0100, Samuel Thibault wrote:
Ben Hutchings, le Sun 01 Nov 2009 19:06:59 +, a écrit :
On Sun, 2009-11-01 at 19:53 +0100, Matthias Klose wrote:
there are some functions in glibc which are questionably declared with
the warn
about unused result
On Sun, Nov 01, 2009 at 08:10:44PM +0100, Samuel Thibault wrote:
In general you cannot rely on checking errno because it is not defined
whether a successful operation clears it.
But you can clear it by hand before calling them.
That's only true in some special cases; for example, SuSv3
On Thu, 29 Oct 2009, Kees Cook wrote:
On Thu, Oct 29, 2009 at 10:01:08PM -0200, Henrique de Moraes Holschuh wrote:
On Tue, 27 Oct 2009, Kees Cook wrote:
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would
On Thu, 29 Oct 2009, Christoph Anton Mitterer wrote:
On Tue, 2009-10-27 at 22:19 -0200, Henrique de Moraes Holschuh wrote:
Well, the issue raised in LKML is that you absolutely should *not* enable
-fstack-protector-all unless you _really_ know what you're doing, and most
certainly not by
On Tue, 27 Oct 2009, Kees Cook wrote:
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
How do they work? Do they also change the
On Thu, Oct 29, 2009 at 10:01:08PM -0200, Henrique de Moraes Holschuh wrote:
On Tue, 27 Oct 2009, Kees Cook wrote:
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would like to propose enabling[1] the GCC
On Tue, 2009-10-27 at 22:19 -0200, Henrique de Moraes Holschuh wrote:
Well, the issue raised in LKML is that you absolutely should *not* enable
-fstack-protector-all unless you _really_ know what you're doing, and most
certainly not by default. It has nothing to do with -fstack-protector, just
On mar., 2009-10-27 at 09:32 +0800, Paul Wise wrote:
On Tue, Oct 27, 2009 at 4:41 AM, Christoph Anton Mitterer
cales...@scientia.net wrote:
Ever thought about integrating PaX [0] per default in Debian?
I'm however not sure how much this actually breaks ;)
Any idea if these patches will
On Tue, Oct 27, 2009 at 2:52 PM, Yves-Alexis Perez cor...@debian.org wrote:
On mar., 2009-10-27 at 09:32 +0800, Paul Wise wrote:
On Tue, Oct 27, 2009 at 4:41 AM, Christoph Anton Mitterer
cales...@scientia.net wrote:
Ever thought about integrating PaX [0] per default in Debian?
I'm however
On Mon, 26 Oct 2009, Gabor Gombas wrote:
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
How do they work? Do they also change
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
How do they work? Do they also change the free-standing compiler or only
the hosted
Kees Cook, le Tue 27 Oct 2009 14:11:43 -0700, a écrit :
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
How do they work? Do
Hi,
On Tue, Oct 27, 2009 at 01:30:12PM -0200, Henrique de Moraes Holschuh wrote:
On Mon, 26 Oct 2009, Gabor Gombas wrote:
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would like to propose enabling[1] the GCC
On Tue, 2009-10-27 at 09:32 +0800, Paul Wise wrote:
Any idea if these patches will be merged upstream?
It's probably quite unlikely,... although I never understood why,..
Even though it's available for some architectures,.. it would improve
security at least on them.
Cheers,
--
To
On Tue, 2009-10-27 at 15:48 +0800, Paul Wise wrote:
http://wiki.debian.org/DebianKernelPatchAcceptanceGuidelines
http://kernel-handbook.alioth.debian.org/ch-source.html#s-acceptance
The thing is,..
A patch like PaX would (IMHO) improve security a lot,... and it would be
worth thinking for a
On Mon, Oct 26, 2009 at 09:41:59PM +0100, Christoph Anton Mitterer wrote:
Ever thought about integrating PaX [0] per default in Debian?
What features does the grsecurity patch provide currently? I know that
several of the mentioned PaX features are supported in vanilla kernel in
the meantime:
-
On Tue, 27 Oct 2009, Kees Cook wrote:
It seems the kernel will not be happy if the stack protector is switched
on unconditionally:
http://osdir.com/ml/linux-kernel/2009-10/msg07064.html
Indeed. The kernel build system needs to be able to command whether
stackprotect is enabled
Hi,
On Tue, Oct 27, 2009 at 10:19:22PM -0200, Henrique de Moraes Holschuh wrote:
On Tue, 27 Oct 2009, Kees Cook wrote:
It seems the kernel will not be happy if the stack protector is switched
on unconditionally:
http://osdir.com/ml/linux-kernel/2009-10/msg07064.html
Kees Cook k...@debian.org writes:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2]. Ubuntu has used it successfully for 1.5 years now (3 releases),
and many of the issues have already been fixed in packages that needed
adjustment[3]. After all this time, use
On Monday 26 October 2009 09:22:26 Marco d'Itri wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
Seconded.
Thirded.
+1.
Thanks for bringing this up,
Michael
pgpDxjsmOMyTR.pgp
Description: PGP signature
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
How do they work? Do they also change the free-standing compiler or only
the hosted one? There is a lot of software, which (I would say) missuse
the
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
How do they work? Do they also change the free-standing compiler or only
the hosted
* Kees Cook:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
Seems a good idea to me. But I think we should defer the required
full archive rebuild until we've got the hardening patch for operator
new[] (which currently can return a heap block which is
Hi,
On Mon, Oct 26, 2009 at 01:36:28PM +0100, Florian Weimer wrote:
* Kees Cook:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
Seems a good idea to me. But I think we should defer the required
full archive rebuild until we've got the hardening patch
Hi.
Ever thought about integrating PaX [0] per default in Debian?
I'm however not sure how much this actually breaks ;)
Cheers,
Chris.
[0] http://pax.grsecurity.net/
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
On Tue, Oct 27, 2009 at 4:41 AM, Christoph Anton Mitterer
cales...@scientia.net wrote:
Ever thought about integrating PaX [0] per default in Debian?
I'm however not sure how much this actually breaks ;)
Any idea if these patches will be merged upstream?
--
bye,
pabs
Hello,
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2]. Ubuntu has used it successfully for 1.5 years now (3 releases),
and many of the issues have already been fixed in packages that needed
adjustment[3]. After all this time, use of the hardening-wrapper[4]
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
Arguments against:
- makes the compiler's behavior different than stock compiler.
Rebuttal: honestly, I don't care -- it seems like such a
huge win for safety and is easy to debug. Debian
On Sun, Oct 25, 2009 at 03:21:01PM -0400, James Vega wrote:
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
Arguments against:
- makes the compiler's behavior different than stock compiler.
Rebuttal: honestly, I don't care -- it seems like such a
On Oct 25, Kees Cook k...@debian.org wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
Seconded.
hardening-wrapper does not looks like a solution to me since it execs
perl for each call to gcc and ld when installed (even when inactive).
And as you
On Monday 26 October 2009 09:22:26 Marco d'Itri wrote:
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2].
Seconded.
Thirded.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
58 matches
Mail list logo
