Re: Proposing amd64-hardened architecture for Debian

To: debian developers <debian-devel@lists.debian.org>
Subject: Re: Proposing amd64-hardened architecture for Debian
From: Bálint Réczey <balint@balintreczey.hu>
Date: Wed, 16 Apr 2014 20:03:08 +0200
Message-id: <[🔎] CAK0OdpzVq_8etn2-KG+HLQ_3=EiqyDeU2Q0ySgT0H8NvXGqGWw@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] 20140415180727.GA10412@virgil.dodds.net>
References: <[🔎] 534D0341.5050807@balintreczey.hu> <[🔎] 534D5B1A.3070408@debian.org> <[🔎] 20140415180727.GA10412@virgil.dodds.net>

Hi Steve,

2014-04-15 20:07 GMT+02:00 Steve Langasek <vorlon@debian.org>:
> On Wed, Apr 16, 2014 at 12:15:22AM +0800, Thomas Goirand wrote:
>> > My proposal for serving those security-focused users is introducing a
>> > new architecture targeting amd64 hardware, but with more security
>> > related C/C++ features turned on for every package (currently hardening
>> > has to be enabled by the maintainers in some way) through compiler flags
>> > as a start.
>
>> My take on this: start it if you wish, and see how it takes you. If it
>> is successful enough, it will go to http://www.debian-ports.org/. If it
>> has even more success, then probably it will go through the standard
>> repository and be official part of Debian. Whatever happens, it will be
>> interesting to see what kind of performance hit you get, and what kind
>> of security enhancement there is.
>
> I would not presume that debian-ports.org would be willing to accept this
> port without detailed discussion with Debian about what it means to provide
> a different "port" with the same ABI.
Thank you for raising this concern. I hope I could get input from
people deciding on accepting/rejecting the proposed port on this list.
If not I'll reach them directly.

>
> The other recent notable port of this kind (changing the compiler defaults
> without changing the ABI) is Raspbian, which we have not found a way to
> effectively integrate into the Debian archive.  It lives in its own domain,
> not under debian-ports, because it conflicts with and is unidirectionally
> incompatible with the existing armhf port.
>
> It would be great to see someone tackle the question of "subarchs" for dpkg,
> which might be a fit here.  But I don't imagine that you're going to get
> signoff on a dpkg "amd64-secure" architecture, so doing this in debian or on
> debian-ports isn't very practical.
I'm not sure what technical matters prevent having the same ABI in two
different architectures if the multiarch names differ as well, but if
there is any I think they can be handled so I hope to get the signoff.
I would like to avoid going the Raspbian way.

Cheers,
Balint

Reply to:

References:
- Proposing amd64-hardened architecture for Debian
  - From: Balint Reczey <balint@balintreczey.hu>
- Re: Proposing amd64-hardened architecture for Debian
  - From: Thomas Goirand <zigo@debian.org>
- Re: Proposing amd64-hardened architecture for Debian
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Bug#744960: ITP: smalt -- Sequence Mapping and Alignment Tool
Next by Date: Re: automatic autoconf config file updating
Previous by thread: Re: Proposing amd64-hardened architecture for Debian
Next by thread: Re: Proposing amd64-hardened architecture for Debian
Index(es):
- Date
- Thread