I posted an initial message on help-guix about compiling a custom hardened gcc, 
but guix-devel is a better list to continue the discussion. I wanted to revisit 
compiling Guix packages with a hardened toolchain since many other distros do 
this to improve the security of their packages.

Previous emails  only mentioned passing hardening options to CFLAGS and 
LDFLAGS. Another important step is to compile features into GCC and binutils. 
Specifically:

* gcc can be compiled with `--enable-default-ssp --enable-default-pie` to 
enforce ssp and pic
* binutils can be compiled with `--enable-relro --enable-pic` to enforce relro 
and pic

I'm not a toolchain expert by any means, but I think this is a good first step 
in improving Guix package security.

1. 
https://lists.archlinux.org/pipermail/arch-dev-public/2016-October/028405.html

  • Hardened toolchai... Development of GNU Guix and the GNU System distribution.
    • Hardened too... zimoun
      • Re: Hard... zimoun
        • Re: ... Development of GNU Guix and the GNU System distribution.
          • ... Development of GNU Guix and the GNU System distribution.
            • ... zimoun
              • ... Development of GNU Guix and the GNU System distribution.
                • ... Development of GNU Guix and the GNU System distribution.
                • ... zimoun
      • Re: Hard... Maxime Devos

Reply via email to