#nixos-security on 2021-02-12

2020-11-04 15:50 andi- changed the topic of #nixos-security to: Vulnerability Roundup Issues: https://github.com/NixOS/nixpkgs/issues?utf8=%E2%9C%93&q=is%3Aissue+is%3Aopen+Vulnerability+roundup + https://broken.sh | Currently supported releases: unstable (master), 20.09, 20.03 (until 27th of November)

00:48 supersandro2000 has quit [Disconnected by services]

00:48 supersandro2000 has joined #nixos-security

01:11 rajivr has joined #nixos-security

02:22 craige has joined #nixos-security

07:13 fabian_a has joined #nixos-security

09:20 fabian_a has quit [Quit: Leaving]

09:21 faffolter has joined #nixos-security

09:21 faffolter has quit [Changing host]

09:22 fabian_a has joined #nixos-security

09:22 faffolter has quit [Remote host closed the connection]

09:25 fabian_a has quit [Client Quit]

09:30 faffolter has joined #nixos-security

09:31 faffolter has quit [Client Quit]

09:31 fabian_a has joined #nixos-security

09:40 cole-h has quit [Ping timeout: 240 seconds]

16:33 cole-h has joined #nixos-security

17:30 rajivr has quit [Quit: Connection closed for inactivity]

17:57 cwslimy[m] has joined #nixos-security

18:05 Synthetica has joined #nixos-security

19:19 cole-h has quit [Ping timeout: 240 seconds]

20:15 fabian_a has quit [Ping timeout: 240 seconds]

20:16 fabian_a has joined #nixos-security

20:58 star_cloud has quit [Remote host closed the connection]

20:58 star_cloud has joined #nixos-security

21:08 star_cloud has quit [Excess Flood]

21:09 star_cloud has joined #nixos-security

22:22 <qyliss> what if I told you that almost every hardeningDisable in Nixpkgs disables hardening features unnecessarily

22:23 <hexa-> I would believe you

22:25 <gchristensen> ^

22:26 <qyliss> :)

22:26 <qyliss> do we think a package building without the hardeningDisable is enough to justify removing it, or do I need to manually investigate all of these?

23:04 <hexa-> if hardening can be enabled without feature compromise *shrug*

23:04 <hexa-> i'm all for it

23:05 <qyliss> well the thing is, if I enable it en masse it's difficult to be sure everything is going to work at runtime

23:06 <hexa-> yep

23:06 <hexa-> maybe quickly after 21.05 is out? :p

23:10 <qyliss> hmm, that's a very long time away

23:10 <qyliss> we still have most of a normal release period until then

23:11 <supersandro2000> at least for darwin removing them results in some build failures. don't remember which packages though

23:12 <qyliss> I can filter out any that cause build failures, so I'm not worried about those

23:13 <hexa-> depends how long we want to get feedback on how much is broken really

23:19 <ajs124> qyliss: is #104091 related to what you're thinking of doing?

23:19 <{^_^}> https://github.com/NixOS/nixpkgs/pull/104091 (by TredwellGit, 12 weeks ago, open): treewide: enable security hardening flags

23:20 <qyliss> ajs124: no, I'm thinking of removing every instance of hardeningDisable that doesn't cause a build to fail

23:21 <qyliss> because hardeningDisables mostly seem to have been added years ago and since been fixed upstream

23:21 <ajs124> ah, that way around. Makes sense.

23:21 <Foxboron> PIE and RELRO on go binaries can trigger quite delicate race conditions at run-time which is hard to figure out during tests as -race doesn't actually work.

23:22 <Foxboron> (I have no clue how hardeningDisable works with the go stuff)

23:22 <qyliss> okay, in that case it sounds like I should investigate for each one why it was added

23:22 <qyliss> I'm fine with doing that, just going to take more time obviously

23:23 <Foxboron> I have had quite hairy runtime issues in the docker stack with pie/relro enabled on Arch. But they do a lot of *weird* stuff. Most tools outside of the OCI/container space works just fine.

23:27 <Foxboron> But apart from that I know Arch and Fedora runs a lot of hardening flags with extremely few cases where it compromises features.