Re: Building a distribution from source?

To: Steve Kemp <skx@debian.org>
Cc: Russell Coker <russell@coker.com.au>, debian-devel@lists.debian.org
Subject: Re: Building a distribution from source?
From: Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de>
Date: 05 Dec 2003 04:37:55 +0100
Message-id: <[🔎] 87ptf4ylws.fsf@mrvn.homelinux.org>
In-reply-to: <[🔎] 20031205021848.GA9357@steve.org.uk>
References: <[🔎] 20031204233911.GA6255@steve.org.uk> <[🔎] 200312051210.44982.russell@coker.com.au> <[🔎] 20031205021848.GA9357@steve.org.uk>

Steve Kemp <skx@debian.org> writes:

> On Fri, Dec 05, 2003 at 12:10:44PM +1100, Russell Coker wrote:
> > On Fri, 5 Dec 2003 10:39, Steve Kemp <skx@debian.org> wrote:
> > > ? I've been experimenting with producing a hardened Debian derivitive
> > > ?as a small piece of paid work. ?This mostly means compiling things with
> > > ?a stackguard compiler, using format guard, and enforcing policies, etc.
> > 
> > Are you using any extra patches to GCC?  Or just a GCC built with the 
> > propolice option?
> 
>   Yes I am using slightly modified patches from http://www.immunix.org/.
> 
>   The propolice is something that I shall be evaluating next.
> 
> > How difficult is it to bootstrap this?  Can you compile glibc with these 
> > options without affecting anything else?
> 
>   So far I have built glibc with this modified GCC, (only so that I
>  could apply the "FormatGuard" patches which are designed to combat
>  format string attacks.  Recompiling glibc wasn't something that I
>  really wanted to try on the PII 233Mhz machine I have as my test box!
> 
>   Bootstrapping was very simple just a matter of applying the patche to
>  GCC and rebuilding it, then having installed it I rebuilt several test
>  packages which were exploitable previously and failed to be exploitable
>  afterwards.  (With the caveats that this patch doesnt protect against
>  all attacks).
> 
>   I confess that I haven't rebuilt _all_ the interesting packages yet
>  the kernel and X11 being the most likely to fail - but the packages
>  that I did build, bash, perl, etc did compile with no observed side
>  effects thus far.

If the ABI of libraries stays the same, sounds that way, bootstraping
is realy easy.

You can setup a normal system with wanna-build and a buildd and an
empty archive. You should patch the buildd to add a -0.0.1 or .0.1
debian version to each build. That way you can have the normal and
your hardened repository in the apt/sources.lists, install
normaly/security updates imediatly and update to hardened versions as
they are available.

MfG
        Goswin

Reply to:

References:
- Building a distribution from source?
  - From: Steve Kemp <skx@debian.org>
- Re: Building a distribution from source?
  - From: Russell Coker <russell@coker.com.au>
- Re: Building a distribution from source?
  - From: Steve Kemp <skx@debian.org>

Prev by Date: Re: Backporting 2.4.23 kernel packages
Next by Date: Re: Building a distribution from source?
Previous by thread: Re: Building a distribution from source?
Next by thread: Re: Building a distribution from source?
Index(es):
- Date
- Thread