My setup is completely compatible with Arch packages. I try to only make changes to the Arch PKGBUILDS to get the security features I need.
For example, my gcc PKGBUILD is modified to default to compile with hardened options PIE stack-protector relro fortify_source etc.. so the vast majority of PKGBUILDS in my git clone do not need to be modified. There are a few exceptions however like grub that can't be built with those options so in that PKGBUILD I pass CC="-fno-stack-protector -fno-PIE -nopie" If someone were using the modified grub PKGBUILD or binary in a default Arch system, it would still compile/run as normal. For the binaries built with PIE, the user would have to enable ASLR in their kernel to take advantage of it, or they could patch their kernel with grsec which has a more robust ASLR implementation. I do make other changes to the PKGBUILDS but they are trivial, like changing the default permissions of some files or deleting unused setuid binaries etc. Also my repos are named differently. hardened-core, hardened-services, hardened-libs, hardened-extras. The default Arch repos were a bit ambiguous to me. I'll bounce around some ideas in the thread link you provided. Thanks. -Andre On Fri, Jul 16, 2010 at 7:40 AM, Faelar <[email protected]> wrote: > Hi, > > There is a topic where we're discussing the project's goals : > http://bbs.archserver.org/viewtopic.php?id=61 > As you can see security is one of them. > > Please can you tell us how much is your setup compatible with Arch Linux > packages ? I value security more, but if we can have both it would be > awesome. > > _______________________________________________ > ArchServer Project General Mail List > Post messages to: [email protected] > Administer your subscription: http://lists.archserver.org/listinfo/general > >
_______________________________________________ ArchServer Project General Mail List Post messages to: [email protected] Administer your subscription: http://lists.archserver.org/listinfo/general
