Your message dated Sat, 17 Dec 2016 09:50:28 +0100
with message-id
<cak0odpyccnyvwwpfyz-yw7ef_jbaazct9jxf5cxnwvqsojn...@mail.gmail.com>
and subject line Re: dpkg: Please add hardened1-linux-amd64 port
has caused the Debian Bug report #812782,
regarding dpkg: Please add hardened1-linux-amd64 port
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
812782: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812782
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dpkg
Version: 1.18.4
Severity: wishlist
Tags: patch
User: [email protected]
Usertags: hardened1-linux-amd64
Dear Guillem,
I have successfully bootstrapped the hardened1-linux-amd64 [1] port
using a set of patches [2].
I'm working towards making the port ready for being accepted to Debian
and the attached patch is the one adding the port to dpkg.
We already started the discussion regarding the viability of the port
in #760741 and I would like to continue here since the original bug
is closed by adding the sanitize feature area. (Thank you for that.)
Answering your original questions and observations:
2014-09-15 16:44 GMT+02:00 Guillem Jover <[email protected]>:
...
>
> Well, once the architecture is accepted it's “supposed” to have a
> stable os-kernel-cpu ABI defined, it seems to me you want to have the
> freedom to experiment with new developments that might break ABI? In
> which case I think this really should be a private playground until
> something stable has been defined.
For hardened1-* the major difference from the amd64 ABI is enabling ASAN
and I will stick to that.
I also #define __GNU_FEATURESET_HARDENED1__ in libc to let config.guess
detect the gnuhardened1 variant, but this does not need changes in dpkg
and will be upstreamed to GNU config project.
...
> What I meant is that I'm going to add a new feature area named “qa”,
> alongside “hardening”, so it seems it might make sense to have a new
> “sanitizer” (or similar name) feature area, with all new interesting
> sanitizer options, such as asan, ubsan, tsan, lsan, etc. Does that
> make more sense now?
Thank you for adding the feature area, I built my new patches on top of
that.
...
> I added a FAQ entry about all the requirements (I could remember) a
> new port needs to fulfill at the end of
> <https://wiki.debian.org/Teams/Dpkg/FAQ>. As it stands this
> architecture seems to fail several of them.
Thank you for the FAQ, it helped a lot. I now renamed the port to
follow uclibc's example.
Do you think the hardened1-linux-amd64 name would be OK? I'm working on
fulfilling all requirements.
>> I'm not tied to a name. I think it is reasonable and reflects that
>> this is not a port with a different kernel (hardened-amd64 vs.
>> kfreebsd-i386), but I'm open for better proposals.
>
> Any Linux port needs to use a single word name.
I think the triple-word name also conforms to current practices,
but I see that hardened-amd64 was a no-go.
>
>> I tried to explain the goals of having this new port (improved
>> security, discovering more bugs using the Debian buildds
>> automatically) and I think they make sense.
>
> Oh! I think those goals do make sense, I'm not sure if they make sense
> as part of an entire new port.
Many of the patches I'm filing enable sanitized rebuild of the amd64
archive, but I think a separate port would be an ideal solution both for
the Debian project and for our users.
Thanks in advance,
Balint
[1]
http://balintreczey.hu/blog/proposing-amd64-hardened-architecture-for-debian/
[2] https://anonscm.debian.org/cgit/users/rbalint/rebootstrap.git/
>From 452b9127410427837428e75062cc9fa17633d974 Mon Sep 17 00:00:00 2001
From: Balint Reczey <[email protected]>
Date: Sun, 20 Sep 2015 19:24:23 +0200
Subject: [PATCH 1/2] Add hardened1-linux-<cpu> ports support
Those ports ar based on simple <cpu> ports with a set of defaults
changed to provide better security.
---
ostable | 1 +
triplettable | 1 +
2 files changed, 2 insertions(+)
diff --git a/ostable b/ostable
index 10e0d3a..678196a 100644
--- a/ostable
+++ b/ostable
@@ -23,6 +23,7 @@ gnuabi64-linux linux-gnuabi64 linux[^-]*-gnuabi64
gnuspe-linux linux-gnuspe linux[^-]*-gnuspe
gnux32-linux linux-gnux32 linux[^-]*-gnux32
gnu-linux linux-gnu linux[^-]*(-gnu.*)?
+gnuhardened1-linux linux-gnuhardened1 linux[^-]*(-gnuhardened1.*)?
gnueabihf-kfreebsd kfreebsd-gnueabihf kfreebsd[^-]*-gnueabihf
gnu-kfreebsd kfreebsd-gnu kfreebsd[^-]*(-gnu.*)?
gnu-knetbsd knetbsd-gnu knetbsd[^-]*(-gnu.*)?
diff --git a/triplettable b/triplettable
index 568a6b9..a2bd1e5 100644
--- a/triplettable
+++ b/triplettable
@@ -16,6 +16,7 @@ gnuabi64-linux-mips64 mips64
gnuspe-linux-powerpc powerpcspe
gnux32-linux-amd64 x32
gnu-linux-<cpu> <cpu>
+gnuhardened1-linux-<cpu> hardened1-linux-<cpu>
gnueabihf-kfreebsd-arm kfreebsd-armhf
gnu-kfreebsd-<cpu> kfreebsd-<cpu>
gnu-knetbsd-<cpu> knetbsd-<cpu>
--
2.1.4
--- End Message ---
--- Begin Message ---
Control: notfound -1 1.18.4
Development on this port is stalled thus I close this bug for the time
there is no progress to help managing the dpkg bug count.
I'll reopen the bug when the hardened port makes some progress again.
Thanks.
Balint
--- End Message ---
