Re: Proposing amd64-hardened architecture for Debian

To: Balint Reczey <balint@balintreczey.hu>
Cc: Debian Developers <debian-devel@lists.debian.org>
Subject: Re: Proposing amd64-hardened architecture for Debian
From: Riku Voipio <riku.voipio@iki.fi>
Date: Sat, 19 Apr 2014 14:26:59 +0300
Message-id: <[🔎] 20140419112659.GA22068@afflict.kos.to>
In-reply-to: <[🔎] 534D0341.5050807@balintreczey.hu>
References: <[🔎] 534D0341.5050807@balintreczey.hu>

On Tue, Apr 15, 2014 at 12:00:33PM +0200, Balint Reczey wrote:
> Facing last week's Heartbleed [1] bug the need for improving the
> security of our systems became more apparent than usually. In Debian
> there are widely used methods for Hardening [2] packages at build time
> and guidelines [3] for improving the default installations' security.

Riding the Heartbleed publicity wave seems unwise, unless you can
propose a hardening flag that would have protected users from
Heartbleed. Else, Heartbleed merely serves on a example
how wallpapering problems over with "hardened" binaries often
doesn't help you at all..

Considering that most issues protected by compiler hardening are
also detectable by static/dynamic code analysis, a more effective security
measure would be to spend time with clang static analyzer, valgrind, trinity
and other tools... or actualy reviewing patches that security critical
projects recieve.

Riku

Reply to:

Follow-Ups:
- Re: Proposing amd64-hardened architecture for Debian
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: Proposing amd64-hardened architecture for Debian
  - From: Michael Tautschnig <mt@debian.org>

References:
- Proposing amd64-hardened architecture for Debian
  - From: Balint Reczey <balint@balintreczey.hu>

Prev by Date: Re: debconf reconfiguration from postinst of another package
Next by Date: Re: Proposing amd64-hardened architecture for Debian
Previous by thread: Re: Proposing amd64-hardened architecture for Debian
Next by thread: Re: Proposing amd64-hardened architecture for Debian
Index(es):
- Date
- Thread