CVS commit: pkgsrc/doc/guide/files

["Nia Alarie" <nia%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   nia
Date:           Sun Feb 13 11:16:35 UTC 2022

Modified Files:
        pkgsrc/doc/guide/files: hardening.xml

Log Message:
guide: update RELRO dox


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/doc/guide/files/hardening.xml

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/doc/guide/files/hardening.xml
diff -u pkgsrc/doc/guide/files/hardening.xml:1.7 pkgsrc/doc/guide/files/hardening.xml:1.8
--- pkgsrc/doc/guide/files/hardening.xml:1.7    Fri Feb 11 08:02:05 2022
+++ pkgsrc/doc/guide/files/hardening.xml        Sun Feb 13 11:16:35 2022
@@ -1,4 +1,4 @@
-<!-- $NetBSD: hardening.xml,v 1.7 2022/02/11 08:02:05 nia Exp $ -->
+<!-- $NetBSD: hardening.xml,v 1.8 2022/02/13 11:16:35 nia Exp $ -->
 
 <appendix id="hardening">
 <title>Security hardening</title>
@@ -142,38 +142,6 @@ Currently, this means NetBSD on x86, ARM
 <varname>PKGSRC_MKPIE</varname> was enabled by default after the pkgsrc-2021Q3 branch.
 </para>
 </sect3>
-</sect2>
-
-<sect2 id="hardening.mechanisms.disabled">
-<title>Not enabled by default</title>
-
-<sect3 id="hardening.mechanisms.disabled.repro">
-<title>PKGSRC_MKREPRO</title>
-
-<para>
-With this option, pkgsrc will try to build packages reproducibly. This allows
-packages built from the same tree and with the same options, to produce
-identical results bit by bit. This option should be combined with ASLR and
-<varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for
-attackers attempting to exploit security vulnerabilities.
-</para>
-
-<para>
-More details can be found here:
-</para>
-
-<itemizedlist>
-<listitem>
-<para>
-<ulink url="https://reproducible-builds.org/";>Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink>
-</para>
-</listitem>
-</itemizedlist>
-
-<para>
-More work likely needs to be done before pkgsrc is fully reproducible.
-</para>
-</sect3>
 
 <sect3 id="hardening.mechanisms.enabled.relro">
 <title>PKGSRC_USE_RELRO</title>
@@ -188,7 +156,7 @@ difficult in some cases.
 <itemizedlist>
 <listitem>
 <para>
-partial: the ELF sections are reordered so that internal data sections
+partial (the default): the ELF sections are reordered so that internal data sections
 precede the program's own data sections, and non-PLT GOT is read-only;
 </para>
 </listitem>
@@ -203,8 +171,7 @@ can greatly slow down startup of large p
 
 <para>
 This is currently supported by GCC. Many software distributions now enable this
-feature by default, at the "partial" level. However, it cannot yet be enforced
-globally in pkgsrc through cwrappers.
+feature by default, at the "partial" level.
 </para>
 
 <para>
@@ -220,6 +187,39 @@ More details can be found here:
 </itemizedlist>
 </sect3>
 
+</sect2>
+
+<sect2 id="hardening.mechanisms.disabled">
+<title>Not enabled by default</title>
+
+<sect3 id="hardening.mechanisms.disabled.repro">
+<title>PKGSRC_MKREPRO</title>
+
+<para>
+With this option, pkgsrc will try to build packages reproducibly. This allows
+packages built from the same tree and with the same options, to produce
+identical results bit by bit. This option should be combined with ASLR and
+<varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for
+attackers attempting to exploit security vulnerabilities.
+</para>
+
+<para>
+More details can be found here:
+</para>
+
+<itemizedlist>
+<listitem>
+<para>
+<ulink url="https://reproducible-builds.org/";>Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink>
+</para>
+</listitem>
+</itemizedlist>
+
+<para>
+More work likely needs to be done before pkgsrc is fully reproducible.
+</para>
+</sect3>
+
 <sect3 id="hardening.mechanisms.disabled.stackcheck">
 <title>PKGSRC_USE_STACK_CHECK</title>