ng0 <contact....@cryptolab.net> writes: > Leo Famulari <l...@famulari.name> writes: > >> On Tue, Jan 24, 2017 at 08:56:48PM +0000, ng0 wrote: >>> Leo Famulari <l...@famulari.name> writes: >>> > Should we build Tor with "--enable-expensive-hardening"? >>> >>> I will take a look later what can be applied other than the >>> default configure flags. >>> >>> I'm all for hardening, but it seems that the first basic ideas >>> for Guix are stuck in the idea state. >> >> As far as I can tell, --enable-expensive-hardening is specific to Tor, >> so it's not relevant to the project of hardening all Guix packages. > > Yes. > > I'm building this change right now: > > + (arguments > + `(#:configure-flags (list "--enable-expensive-hardening" > + "--enable-gcc-hardening" > + "--enable-linker-hardening"))) > > Taken from Gentoo, I trust their hardening project to debug and > discover good usage. > >>> It would be great to see some movement on this during this >>> year. I volunteer to help with it, though I don't have as much >>> experience with SELinux (and only basic experience with >>> GrSecurity without a modular kernel like GuixSD uses). >> >> Yes, this effort needs a champion.
No, I would say this needs an effort of more than one person. At best a team of people who either are willing to learn about system hardening or already know enough, maybe even a combination of both to share knowledge :) -- ♥Ⓐ ng0 -- https://www.inventati.org/patternsinthechaos/
