tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Default hardening options

nia <> writes:

> How do we feel about turning up the default hardening options?

I am unclear on exactly what we are proposing.

Could you:

  Post a draft patch to mk/, or whatever, so there's a crisp
  thing for people to test?

  Comment on where you think we are in terms of this possibly being
  pre-branch, vs heading for just after Q3 is branched?

  Explain if turning on MKREPRO without also MKPIE and ALSR has any
  negative security consequences?  (I am guessing no, because addreses
  are already predicable and MKREPRO is about avoiding timestamps etc.)

I think you mean the following

PKGSRC_USE_SSP?= 	strong

but wiz mentioned

  yes for RELRO, and I don't see that as a valid value.

  yes for SSP which is now default
so I would like to test what we're really talking about doing (if it
cools off enough that I'm ok with the associated heat generation).

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index