[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Hardened project (question about use of the "Debian" trademark)

On Sat, Sep 18, 2004 at 01:51:53PM +0200, Lorenzo Hernandez Garcia-Hierro wrote:

> - We put first the patched GCC & Glibc packages (Steve, your 2 cents :D)
> - We send an advice to the mailing-lists, we write a little "guideline"
> for new development way, telling what the developer needs (and what he
> must do) for start re-compiling the packages and making them "hardened".

  'must' is a strong term.

> I'm not a regex master, but, maybe we can derivate some work on our
> stupid boxes :), we can try to make a little script to manage the
> Makefiles, apply the needed patches and also everything we want, making
> the work faster & (almost) automatic.

  This is going to be far harder than you think.

  Right now there is no standard way to pass extra options
 down to the packages as they are being compiled, this is why
 packages like athlon-builder, and pentium-builder exist as
 wrappers round GCC.  They are suboptimal.

  It might be a better approach to start out by constructing something
 which would allow *arbitary* options to be passed through to compilers,
 linkers regardless of the source package.

  However this will likely involve patching all the packages, and
 trying to get those changes accepted upstream might be problematic.
 (I wonder how Gentoo manage their 'USE' flags wrt upstream?)

> This is the little pseudo-code that we can get as dev model for it:
> 
> (check the sources)
> 		-> get the ./src dir
> 		-> analice the Makefile*
> 		-> append -fstack-protector to CFLAGS.
> 		-> apply ET_DYN stuff to LDFLAGS.
> 		-> apply any other stuff to Makefiles.
> 			-> If the package matches one of a
> 			   list, it will use some special patch:
> 		           ex. if ( $package == PHP) { apply 				  (hardened-php)
> patch; }
> 		-> check for hunks, if there's one, send an advice 		   message to the
> developer or the tty in use.
> 		-> create HARDENED file into the main dir for the 		   sources,
> insert:
> 				- upstream author:
> 				- "hardener" (this sounds bad :P)
> 				- applied patches
> 				- CFLAGS and LDFLAGS used.
> 				- version of GCC,SSP and PIE used to 				  compile.
> 		-> end, close/unlock the files (for prevent other users 		   or
> processes to mess up our work).
> 		-> et voil?!
> 		-> start configuration->compilation.
> 		-> dpkg-builpackage
> 		-> echo "Have you moo'ed today?"
> A bash script will be more easy to use.

  Sounds like it would be interesting, but I suspect you'd only
 discover how difficult it is after trying.  (Not that I'm trying
 to put you off, its just that the packages we have aren't all
 buildable easily - some use ./configure, others use bizarre
 Makefiles and yet others use imake).

> Tell me if this is interesting, i can start something on the DH's cvs.

  It sounds interesting .. I reckon that short-term you'd be better
 off using wrappers around ld, g++, gcc, etc.  But having a general
 mechanism for passing in additional arbitary flags would be useful
 for lots of things - from insane optimizations, to adding in support
 for different protection models.

Steve
--
Reply to: