2014-04-15 14:23 GMT+02:00 Paul Wise <p...@debian.org>: > On Tue, Apr 15, 2014 at 8:15 PM, Christian Hofstaedtler wrote: > >> I think that as of today it would help more to fix various upstream >> build tools to actually honor the build flags we (using >> dpkg-buildflags) set. This would benefit both the regular >> architectures and any hypothetical hardened archs. > > Also necessary is for them to support being built with other compilers. As a package maintainer I make sure that an other compiler and additional flags are honored whenever it is possible/reasonable by either patching the build system or upstreaming the patches. It is worth the effort and is definitely needed, but changing GCC defaults would speed up making the binaries protected.
> >> Regarding a special hardened arch, I think on amd64 there's almost >> no benefit of making a seperate arch: just turn on all the hardening >> stuff in amd64, the hardware is fast enough to tolerate some >> slowdown as a tradeoff for better security. >> No ideas for/about the other archs. > > You need a separate architecture if your security enhancements are > going to give a 50% speed hit. > > https://events.ccc.de/congress/2013/Fahrplan/events/5412.html > https://media.ccc.de/browse/congress/2013/30C3_-_5412_-_en_-_saal_1_-_201312271830_-_bug_class_genocide_-_andreas_bogk.html Yes, I fully agree with Paul on this. I was thinking of enabling address sanitizer in Wireshark (wearing my upstream hat), but the performance impact (2x slowdown) would be too much for some heavy users. http://clang.llvm.org/docs/AddressSanitizer.html I think it could be enabled in a separate arch. Cheers, Balint > > -- > bye, > pabs > > http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAK0OdpwprpTgAFub=9ogjC=p9ghgjrbaqmny-pbj5mno-ky...@mail.gmail.com
