On Thu, 07 Jan 2010, Henrique de Moraes Holschuh wrote:
> So, the question that needs an answer is: _why_ isn't it upstream yet?
And that has been answered in another part of this thread.
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness gri
On Tue, 05 Jan 2010, Michael Gilbert wrote:
> On Wed, 6 Jan 2010 11:01:01 +0800 Paul Wise wrote:
> > On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook wrote:
> > > There is a maintained (by RedHat) patch for dealing with PIE. I already
> >
> > It is perfectly reasonable to reject patches until they are
On Wed, 2010-01-06 at 21:46 +0100, Jan Kratochvil wrote:
> All the GDB patches/data I have available are public. All the expressed
> opinions are my personal ones unrelated to Red Hat or even the Archer
> project.
Thanks for the detailed and extensive information and your work on GDB.
--
bye,
On Wed, 06 Jan 2010 14:30:40 +0100, Marco d'Itri wrote:
> On Jan 06, Julien Cristau wrote:
> > > Remember that item 4 of the social contract states that: "Our
> > > priorities are our users and free software."
> > Every time you say that, god kills a kitten. Please, think of the
> > kittens.
> W
On Wed, 06 Jan 2010 09:29:42 +0100, Paul Wise wrote:
> > Hmm, OK. I'm quite surprised Fedora carries so many[1] patches to GDB,
> > 1. http://cvs.fedoraproject.org/viewvc/rpms/gdb/devel/
Temporarily current "devel" is:
http://cvs.fedoraproject.org/viewvc/rpms/gdb/F-12/
(but you are right
On Jan 06, Julien Cristau wrote:
> > Remember that item 4 of the social contract states that: "Our
> > priorities are our users and free software."
> Every time you say that, god kills a kitten. Please, think of the
> kittens.
We need something like Godwin's law about it.
--
ciao,
Marco
sign
On Wed, Jan 06, 2010 at 10:00:55AM +, Julien Cristau wrote:
> On Tue, Jan 5, 2010 at 23:05:30 -0500, Michael Gilbert wrote:
>
> > Remember that item 4 of the social contract states that: "Our
> > priorities are our users and free software."
>
> Every time you say that, god kills a kitten. P
On Tue, Jan 5, 2010 at 23:05:30 -0500, Michael Gilbert wrote:
> Remember that item 4 of the social contract states that: "Our
> priorities are our users and free software."
Every time you say that, god kills a kitten. Please, think of the
kittens.
Cheers,
Julien
--
To UNSUBSCRIBE, email to
On Wed, Jan 6, 2010 at 4:28 PM, Paul Wise wrote:
> On Wed, Jan 6, 2010 at 12:37 PM, Kees Cook wrote:
>> On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
>>> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook wrote:
>>>
>>> > There is a maintained (by RedHat) patch for dealing with PIE. I alrea
On Wed, Jan 6, 2010 at 12:37 PM, Kees Cook wrote:
> On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
>> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook wrote:
>>
>> > There is a maintained (by RedHat) patch for dealing with PIE. I already
>> > maintain a delta for this in Ubuntu, but as you
Hi,
On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook wrote:
>
> > There is a maintained (by RedHat) patch for dealing with PIE. I already
> > maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
> > the gdb maintainer does
On Wed, 6 Jan 2010 11:01:01 +0800 Paul Wise wrote:
> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook wrote:
>
> > There is a maintained (by RedHat) patch for dealing with PIE. I already
> > maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
> > the gdb maintainer doesn't want it
On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook wrote:
> There is a maintained (by RedHat) patch for dealing with PIE. I already
> maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
> the gdb maintainer doesn't want it until it's in upstream. I, obviously,
> think that's ridiculo
On Thu, Dec 24, 2009 at 12:23:01PM +0100, Stefan Fritsch wrote:
> On Thu, 24 Dec 2009, Kees Cook wrote:
> >>>With the new package, the arch-specific logic for hardening defaults
> >>>is in one place, and a maintainer can selectively disable anything they
> >>>don't want on by default.
> >>
> >>This
On Sat, Dec 26, 2009 at 01:29:48AM +0100, Kurt Roeckx wrote:
> On Tue, Oct 27, 2009 at 11:51:35PM +0100, Bastian Blank wrote:
> > What would be a step forward:
> > - Make any code PIC, including binaries (PIE) and static libs.
> static libs would need to be PIE, not PIC.
The differences between PI
On Tue, Oct 27, 2009 at 11:51:35PM +0100, Bastian Blank wrote:
> What would be a step forward:
[...]
> - Make any code PIC, including binaries (PIE) and static libs.
static libs would need to be PIE, not PIC.
This is something that's not properly supported on all our arches.
Some people will also
On Thu, 24 Dec 2009, Kees Cook wrote:
> > Anyway, I'd appreciate a bug report against amavisd-new with whatever
> > information is pertinent about PIE, if you guys want us to add it to the
> > package.
>
> I already opened it in August when I added the patch for it in Ubuntu. :)
> http://bugs.deb
Hi Henrique,
On Thu, Dec 24, 2009 at 03:25:32PM -0200, Henrique de Moraes Holschuh wrote:
> On Thu, 24 Dec 2009, Kees Cook wrote:
> > That's certainly a viable plan. This is kind of the approach we took in
> > Ubuntu for the PIE feature. We also considered packages with a less than
> > stellar s
On Thu, 24 Dec 2009, Kees Cook wrote:
> That's certainly a viable plan. This is kind of the approach we took in
> Ubuntu for the PIE feature. We also considered packages with a less than
> stellar security history. The list of packages built with PIE in Ubuntu
> is: (see https://wiki.ubuntu.com/
Kees Cook writes:
> And built with hardening-includes:
> openbsd-inetd
tcpdump
--
Romain Francoise
http://people.debian.org/~rfrancoise/
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
On Thu, 24 Dec 2009, Kees Cook wrote:
With the new package, the arch-specific logic for hardening defaults
is in one place, and a maintainer can selectively disable anything they
don't want on by default.
This might be a good compromise to get network services hardened
without changing the defa
[dropped debian-gcc from the CCs as this is probably rather off topic now]
Hi Petter,
On Mon, Dec 21, 2009 at 08:16:08AM +0100, Petter Reinholdtsen wrote:
> [Kees Cook]
> > As an example, I have a debdiff against openssh to use it:
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
> >
>
[Kees Cook]
> As an example, I have a debdiff against openssh to use it:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561887
>
> With the new package, the arch-specific logic for hardening defaults
> is in one place, and a maintainer can selectively disable anything they
> don't want on by d
Hi,
On Tue, Nov 24, 2009 at 09:38:41PM +0100, Moritz Muehlenhoff wrote:
> On 2009-11-05, Kees Cook wrote:
> > This would certainly be better than nothing, and better than the
> > hardening-wrapper package, but it would require that every package in
> > Debian be modified to respect external envir
["Followup-To:" header set to gmane.linux.debian.devel.general.]
On 2009-11-05, Kees Cook wrote:
>> The majority of distributions does turn on these options during
>> package build time, which IMO is the right thing to do. Debian
>> should do the same. There's now Raphael's new framework in place
On Sun, Nov 01, 2009 at 08:10:44PM +0100, Samuel Thibault wrote:
> > In general you cannot rely on checking errno because it is not defined
> > whether a successful operation clears it.
>
> But you can clear it by hand before calling them.
That's only true in some special cases; for example, SuS
On Sun, Nov 01, 2009 at 08:10:44PM +0100, Samuel Thibault wrote:
> Ben Hutchings, le Sun 01 Nov 2009 19:06:59 +, a écrit :
> > On Sun, 2009-11-01 at 19:53 +0100, Matthias Klose wrote:
> > > there are some functions in glibc which are questionably declared with
> > > the "warn
> > > about unus
Ben Hutchings, le Sun 01 Nov 2009 19:06:59 +, a écrit :
> On Sun, 2009-11-01 at 19:53 +0100, Matthias Klose wrote:
> > On 25.10.2009 19:55, Kees Cook wrote:
> [...]
> > > - makes more work for dealing with warnings.
> > > Rebuttal: those warnings are there for a reason -- they can
On Sun, 2009-11-01 at 19:53 +0100, Matthias Klose wrote:
> On 25.10.2009 19:55, Kees Cook wrote:
[...]
> > - makes more work for dealing with warnings.
> > Rebuttal: those warnings are there for a reason -- they can
> >be real security issues, and should be fixed.
On 25.10.2009 19:55, Kees Cook wrote:
Hello,
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2]. Ubuntu has used it successfully for 1.5 years now (3 releases),
and many of the issues have already been fixed in packages that needed
adjustment[3]. After all this t
On Thu, 29 Oct 2009, Kees Cook wrote:
> On Thu, Oct 29, 2009 at 10:01:08PM -0200, Henrique de Moraes Holschuh wrote:
> > On Tue, 27 Oct 2009, Kees Cook wrote:
> > > On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > > > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> >
On Thu, Oct 29, 2009 at 10:01:08PM -0200, Henrique de Moraes Holschuh wrote:
> On Tue, 27 Oct 2009, Kees Cook wrote:
> > On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > > I would like to propose enabling[1] the GC
On Tue, 27 Oct 2009, Kees Cook wrote:
> On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > > uses[2].
> >
> > How do they work? Do they als
On Thu, 29 Oct 2009, Christoph Anton Mitterer wrote:
> On Tue, 2009-10-27 at 22:19 -0200, Henrique de Moraes Holschuh wrote:
> > Well, the issue raised in LKML is that you absolutely should *not* enable
> > -fstack-protector-all unless you _really_ know what you're doing, and most
> > certainly not
On Tue, 2009-10-27 at 22:19 -0200, Henrique de Moraes Holschuh wrote:
> Well, the issue raised in LKML is that you absolutely should *not* enable
> -fstack-protector-all unless you _really_ know what you're doing, and most
> certainly not by default. It has nothing to do with -fstack-protector, ju
Hi,
On Tue, Oct 27, 2009 at 10:19:22PM -0200, Henrique de Moraes Holschuh wrote:
> On Tue, 27 Oct 2009, Kees Cook wrote:
> > > > It seems the kernel will not be happy if the stack protector is switched
> > > > on unconditionally:
> > > >
> > > > http://osdir.com/ml/linux-kernel/2009-10/msg07064.h
On Tue, 27 Oct 2009, Kees Cook wrote:
> > > It seems the kernel will not be happy if the stack protector is switched
> > > on unconditionally:
> > >
> > > http://osdir.com/ml/linux-kernel/2009-10/msg07064.html
> >
> > Indeed. The kernel build system needs to be able to command whether
> > stackp
On Mon, Oct 26, 2009 at 09:41:59PM +0100, Christoph Anton Mitterer wrote:
> Ever thought about integrating PaX [0] per default in Debian?
What features does the grsecurity patch provide currently? I know that
several of the mentioned PaX features are supported in vanilla kernel in
the meantime:
-
On Tue, 2009-10-27 at 15:48 +0800, Paul Wise wrote:
> http://wiki.debian.org/DebianKernelPatchAcceptanceGuidelines
> http://kernel-handbook.alioth.debian.org/ch-source.html#s-acceptance
The thing is,..
A patch like PaX would (IMHO) improve security a lot,... and it would be
worth thinking for a dis
On Tue, 2009-10-27 at 09:32 +0800, Paul Wise wrote:
> Any idea if these patches will be merged upstream?
It's probably quite unlikely,... although I never understood why,..
Even though it's available for some architectures,.. it would improve
security at least on them.
Cheers,
--
To UNSUBSCRIB
Hi,
On Tue, Oct 27, 2009 at 01:30:12PM -0200, Henrique de Moraes Holschuh wrote:
> On Mon, 26 Oct 2009, Gabor Gombas wrote:
> > On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > > I would like to propose enabling[1
Kees Cook, le Tue 27 Oct 2009 14:11:43 -0700, a écrit :
> On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > > uses[2].
> >
> > How do they
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > uses[2].
>
> How do they work? Do they also change the free-standing compiler or only
> the
On Mon, 26 Oct 2009, Gabor Gombas wrote:
> On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> > On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > > uses[2].
> >
> > How do they work? Do they
On Tue, Oct 27, 2009 at 2:52 PM, Yves-Alexis Perez wrote:
> On mar., 2009-10-27 at 09:32 +0800, Paul Wise wrote:
>> On Tue, Oct 27, 2009 at 4:41 AM, Christoph Anton Mitterer
>> wrote:
>>
>> > Ever thought about integrating PaX [0] per default in Debian?
>> > I'm however not sure how much this act
On mar., 2009-10-27 at 09:32 +0800, Paul Wise wrote:
> On Tue, Oct 27, 2009 at 4:41 AM, Christoph Anton Mitterer
> wrote:
>
> > Ever thought about integrating PaX [0] per default in Debian?
> > I'm however not sure how much this actually breaks ;)
>
> Any idea if these patches will be merged ups
On Tue, Oct 27, 2009 at 4:41 AM, Christoph Anton Mitterer
wrote:
> Ever thought about integrating PaX [0] per default in Debian?
> I'm however not sure how much this actually breaks ;)
Any idea if these patches will be merged upstream?
--
bye,
pabs
http://wiki.debian.org/PaulWise
--
To UNS
Hi.
Ever thought about integrating PaX [0] per default in Debian?
I'm however not sure how much this actually breaks ;)
Cheers,
Chris.
[0] http://pax.grsecurity.net/
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas..
Hi,
On Mon, Oct 26, 2009 at 01:36:28PM +0100, Florian Weimer wrote:
> * Kees Cook:
> > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > uses[2].
>
> Seems a good idea to me. But I think we should defer the required
> full archive rebuild until we've got the hardening
* Kees Cook:
> I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> uses[2].
Seems a good idea to me. But I think we should defer the required
full archive rebuild until we've got the hardening patch for operator
new[] (which currently can return a heap block which is smal
On Mon, Oct 26, 2009 at 11:14:25AM +0100, Bastian Blank wrote:
> On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > uses[2].
>
> How do they work? Do they also change the free-standing compiler or only
> the
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> uses[2].
How do they work? Do they also change the free-standing compiler or only
the hosted one? There is a lot of software, which (I would say) missuse
the hos
> On Monday 26 October 2009 09:22:26 Marco d'Itri wrote:
> > > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > > uses[2].
> >
> > Seconded.
>
> Thirded.
>
+1.
Thanks for bringing this up,
Michael
pgpDxjsmOMyTR.pgp
Description: PGP signature
Kees Cook writes:
> I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> uses[2]. Ubuntu has used it successfully for 1.5 years now (3 releases),
> and many of the issues have already been fixed in packages that needed
> adjustment[3]. After all this time, use of the hard
On Monday 26 October 2009 09:22:26 Marco d'Itri wrote:
> > I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> > uses[2].
>
> Seconded.
Thirded.
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas..
On Oct 25, Kees Cook wrote:
> I would like to propose enabling[1] the GCC hardening patches that Ubuntu
> uses[2].
Seconded.
hardening-wrapper does not looks like a solution to me since it execs
perl for each call to gcc and ld when installed (even when inactive).
And as you noticed, nobody uses
On Sun, Oct 25, 2009 at 03:21:01PM -0400, James Vega wrote:
> On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> > Arguments against:
> > - makes the compiler's behavior different than stock compiler.
> > Rebuttal: honestly, I don't care -- it seems like such a
> >
On Sun, Oct 25, 2009 at 11:55:25AM -0700, Kees Cook wrote:
> Arguments against:
> - makes the compiler's behavior different than stock compiler.
> Rebuttal: honestly, I don't care -- it seems like such a
> huge win for safety and is easy to debug. Debian
>
Hello,
I would like to propose enabling[1] the GCC hardening patches that Ubuntu
uses[2]. Ubuntu has used it successfully for 1.5 years now (3 releases),
and many of the issues have already been fixed in packages that needed
adjustment[3]. After all this time, use of the hardening-wrapper[4]
pac
59 matches
Mail list logo
