I posted an initial message on help-guix about compiling a custom hardened gcc, but guix-devel is a better list to continue the discussion. I wanted to revisit compiling Guix packages with a hardened toolchain since many other distros do this to improve the security of their packages.
Previous emails only mentioned passing hardening options to CFLAGS and LDFLAGS. Another important step is to compile features into GCC and binutils. Specifically: * gcc can be compiled with `--enable-default-ssp --enable-default-pie` to enforce ssp and pic * binutils can be compiled with `--enable-relro --enable-pic` to enforce relro and pic I'm not a toolchain expert by any means, but I think this is a good first step in improving Guix package security. 1. https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028405.html