Re: Proposing amd64-hardened architecture for Debian

[Martin Wuertele <martin@wuertele.net>]

* Balint Reczey <balint@balintreczey.hu> [2014-04-15 12:01]:

(...)

> My proposal for serving those security-focused users is introducing a
> new architecture targeting amd64 hardware, but with more security
> related C/C++ features turned on for every package (currently hardening
> has to be enabled by the maintainers in some way) through compiler flags
> as a start.
> 
> Introducing the new architecture would also let package maintainers
> enabling additional dependencies and build rules selectively for the new
> architecture improving the security further. On the users' side the
> advantage of having a separate security enhanced architecture instead of
> a Debian derivative is the potential of installing a set of security
> enhanced packages using multiarch [6]. You could have a fast amd64
> installation as a base and run Apache or any other sensitive server from
> the amd64-hardened packages!
> 
> -----
> 
> What do you think? Would adding a new arch be feasible and a good solution?

Why is it not feasable to provide additional -hardened packages? With
that it would be possible to provide hardened versions of packages on
other archs as well.

Kind regards,
Martin