andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: + | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)
supersandro2000 has quit [Disconnected by services]
supersandro2000 has joined #nixos-security
rajivr has joined #nixos-security
craige has joined #nixos-security
fabian_a has joined #nixos-security
fabian_a has quit [Quit: Leaving]
faffolter has joined #nixos-security
faffolter has joined #nixos-security
faffolter has quit [Changing host]
fabian_a has joined #nixos-security
faffolter has quit [Remote host closed the connection]
fabian_a has quit [Client Quit]
faffolter has joined #nixos-security
faffolter has quit [Client Quit]
fabian_a has joined #nixos-security
cole-h has quit [Ping timeout: 240 seconds]
cole-h has joined #nixos-security
rajivr has quit [Quit: Connection closed for inactivity]
cwslimy[m] has joined #nixos-security
Synthetica has joined #nixos-security
cole-h has quit [Ping timeout: 240 seconds]
fabian_a has quit [Ping timeout: 240 seconds]
fabian_a has joined #nixos-security
star_cloud has quit [Remote host closed the connection]
star_cloud has joined #nixos-security
star_cloud has quit [Excess Flood]
star_cloud has joined #nixos-security
<qyliss> what if I told you that almost every hardeningDisable in Nixpkgs disables hardening features unnecessarily
<hexa-> I would believe you
<gchristensen> ^
<qyliss> :)
<qyliss> do we think a package building without the hardeningDisable is enough to justify removing it, or do I need to manually investigate all of these?
<hexa-> if hardening can be enabled without feature compromise *shrug*
<hexa-> i'm all for it
<qyliss> well the thing is, if I enable it en masse it's difficult to be sure everything is going to work at runtime
<hexa-> yep
<hexa-> maybe quickly after 21.05 is out? :p
<qyliss> hmm, that's a very long time away
<qyliss> we still have most of a normal release period until then
<supersandro2000> at least for darwin removing them results in some build failures. don't remember which packages though
<qyliss> I can filter out any that cause build failures, so I'm not worried about those
<hexa-> depends how long we want to get feedback on how much is broken really
<ajs124> qyliss: is #104091 related to what you're thinking of doing?
<{^_^}> (by TredwellGit, 12 weeks ago, open): treewide: enable security hardening flags
<qyliss> ajs124: no, I'm thinking of removing every instance of hardeningDisable that doesn't cause a build to fail
<qyliss> because hardeningDisables mostly seem to have been added years ago and since been fixed upstream
<ajs124> ah, that way around. Makes sense.
<Foxboron> PIE and RELRO on go binaries can trigger quite delicate race conditions at run-time which is hard to figure out during tests as -race doesn't actually work.
<Foxboron> (I have no clue how hardeningDisable works with the go stuff)
<qyliss> okay, in that case it sounds like I should investigate for each one why it was added
<qyliss> I'm fine with doing that, just going to take more time obviously
<Foxboron> I have had quite hairy runtime issues in the docker stack with pie/relro enabled on Arch. But they do a lot of *weird* stuff. Most tools outside of the OCI/container space works just fine.
<Foxboron> But apart from that I know Arch and Fedora runs a lot of hardening flags with extremely few cases where it compromises features.