pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/doc/guide/files
Module Name: pkgsrc
Committed By: nia
Date: Sun Feb 13 11:16:35 UTC 2022
Modified Files:
pkgsrc/doc/guide/files: hardening.xml
Log Message:
guide: update RELRO dox
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/doc/guide/files/hardening.xml
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/doc/guide/files/hardening.xml
diff -u pkgsrc/doc/guide/files/hardening.xml:1.7 pkgsrc/doc/guide/files/hardening.xml:1.8
--- pkgsrc/doc/guide/files/hardening.xml:1.7 Fri Feb 11 08:02:05 2022
+++ pkgsrc/doc/guide/files/hardening.xml Sun Feb 13 11:16:35 2022
@@ -1,4 +1,4 @@
-<!-- $NetBSD: hardening.xml,v 1.7 2022/02/11 08:02:05 nia Exp $ -->
+<!-- $NetBSD: hardening.xml,v 1.8 2022/02/13 11:16:35 nia Exp $ -->
<appendix id="hardening">
<title>Security hardening</title>
@@ -142,38 +142,6 @@ Currently, this means NetBSD on x86, ARM
<varname>PKGSRC_MKPIE</varname> was enabled by default after the pkgsrc-2021Q3 branch.
</para>
</sect3>
-</sect2>
-
-<sect2 id="hardening.mechanisms.disabled">
-<title>Not enabled by default</title>
-
-<sect3 id="hardening.mechanisms.disabled.repro">
-<title>PKGSRC_MKREPRO</title>
-
-<para>
-With this option, pkgsrc will try to build packages reproducibly. This allows
-packages built from the same tree and with the same options, to produce
-identical results bit by bit. This option should be combined with ASLR and
-<varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for
-attackers attempting to exploit security vulnerabilities.
-</para>
-
-<para>
-More details can be found here:
-</para>
-
-<itemizedlist>
-<listitem>
-<para>
-<ulink url="https://reproducible-builds.org/">Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink>
-</para>
-</listitem>
-</itemizedlist>
-
-<para>
-More work likely needs to be done before pkgsrc is fully reproducible.
-</para>
-</sect3>
<sect3 id="hardening.mechanisms.enabled.relro">
<title>PKGSRC_USE_RELRO</title>
@@ -188,7 +156,7 @@ difficult in some cases.
<itemizedlist>
<listitem>
<para>
-partial: the ELF sections are reordered so that internal data sections
+partial (the default): the ELF sections are reordered so that internal data sections
precede the program's own data sections, and non-PLT GOT is read-only;
</para>
</listitem>
@@ -203,8 +171,7 @@ can greatly slow down startup of large p
<para>
This is currently supported by GCC. Many software distributions now enable this
-feature by default, at the "partial" level. However, it cannot yet be enforced
-globally in pkgsrc through cwrappers.
+feature by default, at the "partial" level.
</para>
<para>
@@ -220,6 +187,39 @@ More details can be found here:
</itemizedlist>
</sect3>
+</sect2>
+
+<sect2 id="hardening.mechanisms.disabled">
+<title>Not enabled by default</title>
+
+<sect3 id="hardening.mechanisms.disabled.repro">
+<title>PKGSRC_MKREPRO</title>
+
+<para>
+With this option, pkgsrc will try to build packages reproducibly. This allows
+packages built from the same tree and with the same options, to produce
+identical results bit by bit. This option should be combined with ASLR and
+<varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for
+attackers attempting to exploit security vulnerabilities.
+</para>
+
+<para>
+More details can be found here:
+</para>
+
+<itemizedlist>
+<listitem>
+<para>
+<ulink url="https://reproducible-builds.org/">Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink>
+</para>
+</listitem>
+</itemizedlist>
+
+<para>
+More work likely needs to be done before pkgsrc is fully reproducible.
+</para>
+</sect3>
+
<sect3 id="hardening.mechanisms.disabled.stackcheck">
<title>PKGSRC_USE_STACK_CHECK</title>
Home |
Main Index |
Thread Index |
Old Index