Hello, Anto Cvitić <[email protected]> skribis:
> Is there an easy way to modify the gnu-build-system so that packages are > compiled with for example -fstack-protector and other flags to compiler and > linker? Inspired from https://wiki.debian.org/Hardening Yes, we can do that on a per-package basis, by passing specific CFLAGS or such to ./configure. To automate it, we could write a function that takes a package, and returns the same package but with that additional configure flag, like: (define (hardened-package p) (package (inherit p) (arguments `(#:configure-flags '("CFLAGS=-fstack-protector"))))) (In real life this would have to be a bit more sophisticated so that P’s configure flags are not discarded, but you get the idea.) We could also do that automatically in gnu-build-system, but that may not be a good idea. Or, we could add an option to gnu-build-system that does that, so that a package definition can enable it with just: (arguments '(#:hardened? #t)) Perhaps that is the best thing to do. > It would be nice with a hadened guix, perhaps even with grsecurity patches. I agree it would be nice. > I would gladly help with this effort, but alas am not a lisper, yet. The goal of Guix is to allow non-lispers to contribute (package definitions can be understood without being a lisper, no?), and to stealthily turn them into Schemers as they get more experienced. :-) Ludo’.
