[Gluster-devel] Security hardening RELRO & PIE flags

Justin Clift justin at gluster.org
Thu Apr 2 12:21:57 UTC 2015


On 31 Mar 2015, at 08:15, Niels de Vos <ndevos at redhat.com> wrote:
> On Tue, Mar 31, 2015 at 12:20:19PM +0530, Kaushal M wrote:
>> IMHO, doing hardening and security should be left the individual
>> distributions and the package maintainers. Generally, each distribution has
>> it's own policies with regards to hardening and security. We as an upstream
>> project cannot decide on what a distribution should do. But we should be
>> ready to fix bugs that could arise when distributions do hardened builds.
>> 
>> So, I vote against having these hardening flags added to the base GlusterFS
>> build. But we could add the flags the Fedora spec files which we carry with
>> our source.
> 
> Indeed, I agree that the compiler flags should be specified by the
> distributions. At least Fedora and Debian do this already include
> (probably different) options within their packaging scripts. We should
> set the flags we need, but not more. It would be annoying to set default
> flags that can conflict with others, or which are not (yet) available on
> architectures that we normally do not test.

First thoughts: :)

  * We provide our own packaging scripts + distribute rpms/deb's from our
    own site too.

    Should we investigate/try these flags out for the packages we build +
    supply?

  * Are there changes in our code + debugging practises that would be needed
    for these security hardening flags to work?

    If there are, and we don't make these changes ourselves, doesn't that
    mean we're telling distributions they need to carry their own patch set
    in order to have a "more secure" GlusterFS?

+ Justin

--
GlusterFS - http://www.gluster.org

An open source, distributed file system scaling to several
petabytes, and handling thousands of clients.

My personal twitter: twitter.com/realjustinclift



More information about the Gluster-devel mailing list