[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Improving security for pkgsrc
On 07/21/15 09:30, Marc Espie wrote:
> On Sat, Jul 18, 2015 at 07:14:36PM +0200, Pierre Pronchery wrote:
>> On 07/18/15 18:56, Joerg Sonnenberger wrote:
>>> On Sat, Jul 18, 2015 at 06:38:09PM +0200, Pierre Pronchery wrote:
>>>> 1. Building with stack smashing protection: (SSP)
>>> It has been shown to be pretty weak in practise, so YMMV.
>> Maybe, but meanwhile: [...]
> I don't even remember WHEN OpenBSD indeed got it. It's got to be somewhere
> in 2003.
> It promptly started breaking things up badly, by finding lots of overflows
> all over the place. It's been rather invaluable in that way.
> In any case, I wouldn't call any of these improvements "low-hanging fruits".
It's been finding a lot of bugs at the low cost of enabling the feature.
The hard work of implementing the feature in the first place and fixing
these bugs has /already/ been done. By now it is really a shame not only
to not be actually leveraging this in pkgsrc, but to not even have the
Some progress in this regard:
(it can easily be disabled by default instead)
> It's totally a lot of effort to make PIE work for instance.
Let's find out; but here again, a number of distributions have performed
a lot of the work required already.
> Each time you add some level of protection, you're bound to run into lots
> of programs that play wild & loose with the rules. And you have to fix things
> correctly so that they keep working. Otherwise, people will start NOT using
> your awesome security measures for actual work...
And everyone learns something, and we end up a bit safer every time.
Thanks for mentioning this,
Main Index |
Thread Index |