[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Improving security in the binary distribution
- To: EdgeBSD developers <edgebsd-developers@xxxxxxxxxxxxxxxxx>
- Subject: Improving security in the binary distribution
- From: Pierre Pronchery <khorben@xxxxxxxxxxx>
- Date: Sun, 19 Jul 2015 19:11:47 +0200
- Delivered-to: edgebsd-developers@xxxxxxxxxxxxxxxxx
- Organization: The EdgeBSD Project
- User-agent: Mozilla/5.0 (X11; NetBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
Hi developers, as some of you may know already, I have spent some time again looking at improving the security of the binary distribution. As for the base system, SSP and ASLR (full with PIE this time) are now enabled by default on x86 platforms, including during installation and on Xen kernels (hosts and guests). For pkgsrc in particular, see: http://mail-index.netbsd.org/tech-pkg/2015/05/27/msg014911.html http://mail-index.netbsd.org/tech-pkg/2015/07/18/msg015276.html While I do not see either discussion leading to much changes upstream unfortunately, it is my intention to enable as much as possible of this work in the next bulk of binary packages for EdgeBSD. As a reminder, what we already had there: - unprivileged builds - contained builds (chroot in dedicated virtual machine instances) - signed packages and sets (with fixes) To which I am now preparing to add: - SSP for all packages - full ASLR support for all packages (PIE) A few changes are still pending before launching the first builds: - signed system packages - registering binaries breaking with ASLR (firefox, thunderbird, libreoffice...) In a more distant future, I will also consider: - enabling RELRO (I do not fully grasp the implications atm) - supporting pkgng (this is too much work for the moment) Let me know how this sounds. Cheers! -- khorben
- Prev by Date: Introducing the integration branches
- Next by Date: Re: [edgebsd-developers] Welcome, cfkoch!
- Previous by thread: Introducing the integration branches
- Index(es):