Hardened builds

Amongst the recent set of Packaging Guidelines changes written up and announced (thanks spot!) was this one.  If you maintain a package for anything that has an executable that’s long running, like a server daemon, runs as root, is setuid or uses capabilities, or accepts untrusted input, I strongly recommend you have a read.  Then consider trying it out on your relevant package(s).

I ran down my list, and identified several that seemed like good candidates.  Most programs build just fine with the change, and it’s only 1 line added to the spec file, which calls a macro to add to the build flags, so it’s easy to do.  Most code won’t show any run-time effects, other than a tiny reduction in startup speed from lack of prelinking, but for a long-running and/or root process, it’s more than worth it for the extra security.

Given that F17 Beta is gold and on it’s imminent way, this is a great time to try it in F18.  In the unlikely event that it breaks anything, you have plenty of time to fix it.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s