Re: Improving security for pkgsrc

[Pierre Pronchery <khorben%defora.org@localhost>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

			Hi tech-pkg@,

On 07/28/15 19:40, Greg Troxel wrote:
> Pierre Pronchery <khorben%defora.org@localhost> writes:
>> 1. introducing the feature (disabled by default)
> 
> You've committed this, so this is project.

:)

>> 2a. adventurous people/projects (EdgeBSD...) enable it by default
>> and report/fix failures
> 
> Sure, that's fine, or someone could turn it on individually, or do
> a bulk build with it.

I am currently building some meta-packages, so far so good.

> In your experience so far, do problems show up at build time, or
> do programs just not work, or ?

Some projects might no longer build, but I do not expect much breakage
there: major distributions have been building the same software with
SSP enabled for many years now.

Issues at run-time may occur, but they depend on the code path and
context. Finding run-time issues is a good thing though: it should
indicate a bug in the program. If confirmed so, then the program had
an issue, not the compiler.

>> 2b. support gets added for more platforms 3. enabling by default
>> on NetBSD/gcc (possibly also clang), possibly partially (like for
>> base)
> 
> To get to this, we probably need a SSP_SAFE=no define for
> individual packages.  And confidence that we aren't causing
> undetected/unknown breakage.

But then if it does break, and a bug is confirmed, is it not better to
break rather than expose a weird machine to potential attackers?

>> 4. fail if enabled but not supported for the current platform
> 
> That really doesn't seem useful.  Let's defer this until after it's
> the default for NetBSD/gcc.

To me it is the complete opposite. A user should not be let into a
dangerous direction without a big, fat warning and a barrier to jump
before falling off the bridge. We are operating a bridge here.
http://allday.com/post/4658-11-of-the-dumbest-and-most-unusual-ways-peop
le-have-died/pages/2/

I know that most users just ignore any warning, just as they click
away those SSL validation failures. But some will care, and then among
those someone will actually step out and implement the missing bits.
This is what we should be aiming for.

HTH,
- -- 
khorben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVuAJ8AAoJEDA4y9uYhpcD698QAKPCRSIcaO9OUw2h0VKaXspt
ZMlRM+dQGgnjtxYSDE9udih8Hp+mIcaTq53GAJgFDlh/b0YmXxDLTEKCP9d2YZ2z
L53adln0XK02UNpncgCcG1ZygM+9BiaDvtdesTasBQunHhNskV++qAcYZNLlD0/k
xL0wPxxAinaFJYjT5Mcsrai2Y7E2CUP6m6Kb+mUDU3gQ9LdeaDJh2uG6tqBZm4J4
eQSu91a3z5D0YGVb+gxwlRnjf7kYj3UFwwkUn8K07+F1+X/+4LgQ90jj+MOZGcz9
zLpoS97SmbFn3MKVXdmhypC7zDHOEjt273cmA3x1H0UULwYWLYewHA3NJ7qvKCJX
NfDYh311DudU+BfSlR5qKX4yaxk2Y1H1RJA9F63/TFqd0Aw9u/zxImuZRHt4hszX
WA/sWZfxHfULuQJR1AwECFgxRmxQQ/lWZhI6I5B3XdWDsrVJ209PZbGTVc/dUkkn
pgz+5gJwSzZdilgQjfP+/rsNc2AE7f25zSVAcPXSgGeTuhN/Kr3bhb10Q0Oks55R
VkyY0l239CROw8lcje8YzL0to2u3sVcdtWOYExTYdDN7MFXfr2JLkfb3W8+kPlso
5fRzzhiQv2eeDYqfQ3c+2ScqhDfrG3IXbwJk67FeV6zblvbPnq335CqKDa2js26F
Wt/pCkVvXeCyQivX68CX
=+/nz
-----END PGP SIGNATURE-----