Re: Improving security for pkgsrc

[Pierre Pronchery <khorben%defora.org@localhost>]

			Hi all,

On 07/21/15 09:30, Marc Espie wrote:
> On Sat, Jul 18, 2015 at 07:14:36PM +0200, Pierre Pronchery wrote:
>> On 07/18/15 18:56, Joerg Sonnenberger wrote:
>>> On Sat, Jul 18, 2015 at 06:38:09PM +0200, Pierre Pronchery wrote:
>>>> 1. Building with stack smashing protection: (SSP)
>>>> [...]
>>>
>>> It has been shown to be pretty weak in practise, so YMMV.
>>
>> Maybe, but meanwhile: [...]
> 
> I don't even remember WHEN OpenBSD indeed got it. It's got to be somewhere
> in 2003.
> 
> It promptly started breaking things up badly, by finding lots of overflows
> all over the place.  It's been rather invaluable in that way.
> 
> In any case, I wouldn't call any of these improvements "low-hanging fruits".

It's been finding a lot of bugs at the low cost of enabling the feature.
The hard work of implementing the feature in the first place and fixing
these bugs has /already/ been done. By now it is really a shame not only
to not be actually leveraging this in pkgsrc, but to not even have the
option.

Some progress in this regard:
http://git.edgebsd.org/gitweb/?p=edgebsd-pkgsrc.git;a=commitdiff;h=e33a2680d9dbffbdada966e50830dff70428cd30
(it can easily be disabled by default instead)

> It's totally a lot of effort to make PIE work for instance.

Let's find out; but here again, a number of distributions have performed
a lot of the work required already.

> Each time you add some level of protection, you're bound to run into lots
> of programs that play wild & loose with the rules. And you have to fix things
> correctly so that they keep working. Otherwise, people will start NOT using
> your awesome security measures for actual work...

And everyone learns something, and we end up a bit safer every time.

Thanks for mentioning this,
-- 
khorben