[arch-dev-public] Proposal: enabling full ASLR on x86_64 via hardening-wrapper

Daniel Micay danielmicay at gmail.com
Fri Dec 26 02:01:48 UTC 2014

On 25/12/14 07:56 PM, Allan McRae wrote:
> I'd guess it has a good change to be included in gcc-5.0.  If it gets
> committed I can backport immediately.
> I am not in favour of using the hardening script because I don't find it
> adheres to what we consider KISS. 

I can understand that. It works the same way as ccache/distcc though,
which have integration in makepkg via PATH injection. It's an ugly hack,
but it's not the only place it's used and I think the practical benefit
of enforcing hardening flags outweighs the loss of purity.

I could file a few hundred bugs on our tracker for packages ignoring
LDFLAGS, but it's going to take a lot of effort to do the same for
CFLAGS because of false positives. I'll start doing that if it's the
only option but I don't think anyone - myself or the packagers - is
going to be very happy about it.

The lack of ASLR is very disappointing, because it's so easy to enable
it and there aren't tangible drawbacks. It's a very difficult obstacle
to overcome in most cases too. I can't recommend that anyone who cares
about their security and privacy use a distribution without it. It's
even enabled across the board on Windows, OS X and Android... I think
that's a pretty high cost to pay for a sense of purity.

I'll continue waiting to see what happens with the GCC patches but I'm
not too optimistic about that. The reasoning behind the rejection of the
past bugs / patches was primarily that this should be handled in
autotools (ignoring that most projects don't use it) and that still
applies to this attempt.

> Our build system is supposed to be simple and entirely transparent when
> looking at the PKGBUILD and default makepkg.conf.  Any user can run "abs"
> and "makepkg" and get (roughly) the same package.

It's still just as reproducible. A user may have a different version or
configuration of GCC. The hardening-wrapper package exists so users may
have it installed, whether or not it's pulled in by default.

The best you can get to a reproducible build is by using devtools but
even that is going to pull in the current set of packages rather than
whatever the packager used. There are many packages that don't build

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20141225/53d49b61/attachment.bin>

More information about the arch-dev-public mailing list