I support the idea, this would be a good opportunity to really test the Mich's concept ! If it proves that useful without the cost of performance, this would be quite a hit and SL could make the hardened isos the default ones :)
> Date: Tue, 13 Mar 2012 20:20:54 -0400 > From: [email protected] > To: [email protected] > Subject: Re: [sabayon-dev] Sabayon Hardening: Proposed Roadmap > > I don't know how the Sabayon build system works, but why not just build > an image with full hardening and distribute it as an optional > sabayon-hardened.iso? Without a pax kernel, you'll probably be okay on > all video hardware and any breakage will happen at compile time, not > when the end user tries to run things. > > --Tony > > On 03/13/2012 02:50 PM, Mitch Harder wrote: > > Thanks for the feedback. We appreciate your review of our approach. > > > > On Tue, Mar 13, 2012 at 1:19 PM, Anthony G. Basile<[email protected]> > > wrote: > >> 1) glibc needs to be compiled with USE=hardened to apply some necessary > >> patches, and it needs to be compiled with a hardened compiler to get > >> -D_FORTIFY_SOURCES=2. So the toolchain (gcc/glibc/binutils) must be > >> compiled and then recompiled with USE=hardened. > > Right, sorry I wasn't clear about that. > > > > Hardening the toolchain (gcc/glibc/binutils) should be a single step. > > > > > >> 2) If the entire system is not compiled hardened, then the system libraries > >> will lack the security from hardening. Why bother then with hardening at > >> all? > > This is a very important question that is still unclear for me. > > > > My premise is that: > > > > We can achieve a worthwhile increase security by selectively hardening > > Sabayon (hardened toolchain, hardened suid binaries, on a standard > > kernel). > > > > From here, we will be in a position to selectively harden other > > categories of packages (such as @system, LAMP, etc...). > > > > Desktop (such as full Gnome and KDE) and Multimedia will probably be > > last (and may be a ways down the road). > > > > I have a supporting premise that, eventually, nearly all packages will > > support being built hardened. > > > > If these premises are incorrect, then this approach to hardening may > > not be worthwhile. > > > > And, again, I appreciate the feedback of the people who have spent > > much more time working with hardening. > > > > > > > -- > Anthony G. Basile, Ph.D. > Gentoo Linux Developer [Hardened] > E-Mail : [email protected] > GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 > GnuPG ID : D0455535 > >
