nia <nia%NetBSD.org@localhost> writes: > How do we feel about turning up the default hardening options? I am unclear on exactly what we are proposing. Could you: Post a draft patch to mk/defaults.mk, or whatever, so there's a crisp thing for people to test? Comment on where you think we are in terms of this possibly being pre-branch, vs heading for just after Q3 is branched? Explain if turning on MKREPRO without also MKPIE and ALSR has any negative security consequences? (I am guessing no, because addreses are already predicable and MKREPRO is about avoiding timestamps etc.) I think you mean the following PKGSRC_USE_SSP?= strong PKGSRC_USE_RELRO?= partial PKGSRC_MKREPRO?= yes but wiz mentioned yes for RELRO, and I don't see that as a valid value. yes for SSP which is now default so I would like to test what we're really talking about doing (if it cools off enough that I'm ok with the associated heat generation).
Description: PGP signature