CVS commit: pkgsrc/doc

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/doc
From: "Nia Alarie" <nia%netbsd.org@localhost>
Date: Sun, 7 Nov 2021 11:30:19 +0000

Module Name:    pkgsrc
Committed By:   nia
Date:           Sun Nov  7 11:30:19 UTC 2021

Modified Files:
        pkgsrc/doc: NEWS
        pkgsrc/doc/guide/files: hardening.xml

Log Message:
doc: RELRO revert


To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.22 pkgsrc/doc/NEWS
cvs rdiff -u -r1.4 -r1.5 pkgsrc/doc/guide/files/hardening.xml

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/doc/NEWS
diff -u pkgsrc/doc/NEWS:1.21 pkgsrc/doc/NEWS:1.22
--- pkgsrc/doc/NEWS:1.21        Sun Oct 10 08:39:40 2021
+++ pkgsrc/doc/NEWS     Sun Nov  7 11:30:19 2021
@@ -1,4 +1,4 @@
-# $NetBSD: NEWS,v 1.21 2021/10/10 08:39:40 nia Exp $
+# $NetBSD: NEWS,v 1.22 2021/11/07 11:30:19 nia Exp $
 
 PKGSRC NEWS
 ===========
@@ -24,12 +24,6 @@ Increased enabled-by-default hardening o
        like i386 - usually this is due to unsafe assembly code,
        which should be disabled when MKPIE is enabled.
 
-       PKGSRC_USE_RELRO was enabled on some architectures.
-       This should not affect the majority of packages that properly
-       honor CFLAGS/LDFLAGS when building.  Packages experiencing
-       problems loading dynamic ELF plugins at runtime should have
-       RELRO disabled.
-
        PKGSRC_USE_SSP was bumped from "yes" to "strong".  This
        is not expected to have a noticable effect.
 

Index: pkgsrc/doc/guide/files/hardening.xml
diff -u pkgsrc/doc/guide/files/hardening.xml:1.4 pkgsrc/doc/guide/files/hardening.xml:1.5
--- pkgsrc/doc/guide/files/hardening.xml:1.4    Tue Nov  2 08:28:45 2021
+++ pkgsrc/doc/guide/files/hardening.xml        Sun Nov  7 11:30:19 2021
@@ -1,4 +1,4 @@
-<!-- $NetBSD: hardening.xml,v 1.4 2021/11/02 08:28:45 nia Exp $ -->
+<!-- $NetBSD: hardening.xml,v 1.5 2021/11/07 11:30:19 nia Exp $ -->
 
 <appendix id="hardening">
 <title>Security hardening</title>
@@ -143,6 +143,37 @@ Currently, this means NetBSD on x86, ARM
 </para>
 </sect3>
 
+<sect2 id="hardening.mechanisms.disabled">
+<title>Not enabled by default</title>
+
+<sect3 id="hardening.mechanisms.disabled.repro">
+<title>PKGSRC_MKREPRO</title>
+
+<para>
+With this option, pkgsrc will try to build packages reproducibly. This allows
+packages built from the same tree and with the same options, to produce
+identical results bit by bit. This option should be combined with ASLR and
+<varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for
+attackers attempting to exploit security vulnerabilities.
+</para>
+
+<para>
+More details can be found here:
+</para>
+
+<itemizedlist>
+<listitem>
+<para>
+<ulink url="https://reproducible-builds.org/";>Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink>
+</para>
+</listitem>
+</itemizedlist>
+
+<para>
+More work likely needs to be done before pkgsrc is fully reproducible.
+</para>
+</sect3>
+
 <sect3 id="hardening.mechanisms.enabled.relro">
 <title>PKGSRC_USE_RELRO</title>
 
@@ -171,7 +202,8 @@ entire GOT to be read-only.
 
 <para>
 This is currently supported by GCC. Many software distributions now enable this
-feature by default, at the "partial" level.
+feature by default, at the "partial" level. However, it cannot yet be enforced
+globally in pkgsrc through cwrappers.
 </para>
 
 <para>
@@ -188,37 +220,6 @@ More details can be found here:
 </sect3>
 </sect2>
 
-<sect2 id="hardening.mechanisms.disabled">
-<title>Not enabled by default</title>
-
-<sect3 id="hardening.mechanisms.disabled.repro">
-<title>PKGSRC_MKREPRO</title>
-
-<para>
-With this option, pkgsrc will try to build packages reproducibly. This allows
-packages built from the same tree and with the same options, to produce
-identical results bit by bit. This option should be combined with ASLR and
-<varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for
-attackers attempting to exploit security vulnerabilities.
-</para>
-
-<para>
-More details can be found here:
-</para>
-
-<itemizedlist>
-<listitem>
-<para>
-<ulink url="https://reproducible-builds.org/";>Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink>
-</para>
-</listitem>
-</itemizedlist>
-
-<para>
-More work likely needs to be done before pkgsrc is fully reproducible.
-</para>
-</sect3>
-
 <sect3 id="hardening.mechanisms.disabled.stackcheck">
 <title>PKGSRC_USE_STACK_CHECK</title>

Prev by Date: CVS commit: pkgsrc/mk
Next by Date: CVS commit: pkgsrc/www/py-curl
Previous by Thread: CVS commit: pkgsrc/mk
Next by Thread: CVS commit: pkgsrc/www/py-curl
Indexes:

Home | Main Index | Thread Index | Old Index