[Gluster-devel] Security hardening RELRO & PIE flags

Justin Clift justin at gluster.org
Thu Apr 2 13:13:26 UTC 2015


On 2 Apr 2015, at 14:08, Niels de Vos <ndevos at redhat.com> wrote:
> On Thu, Apr 02, 2015 at 01:21:57PM +0100, Justin Clift wrote:
>> On 31 Mar 2015, at 08:15, Niels de Vos <ndevos at redhat.com> wrote:
>>> On Tue, Mar 31, 2015 at 12:20:19PM +0530, Kaushal M wrote:
>>>> IMHO, doing hardening and security should be left the individual
>>>> distributions and the package maintainers. Generally, each distribution has
>>>> it's own policies with regards to hardening and security. We as an upstream
>>>> project cannot decide on what a distribution should do. But we should be
>>>> ready to fix bugs that could arise when distributions do hardened builds.
>>>> 
>>>> So, I vote against having these hardening flags added to the base GlusterFS
>>>> build. But we could add the flags the Fedora spec files which we carry with
>>>> our source.
>>> 
>>> Indeed, I agree that the compiler flags should be specified by the
>>> distributions. At least Fedora and Debian do this already include
>>> (probably different) options within their packaging scripts. We should
>>> set the flags we need, but not more. It would be annoying to set default
>>> flags that can conflict with others, or which are not (yet) available on
>>> architectures that we normally do not test.
>> 
>> First thoughts: :)
>> 
>>  * We provide our own packaging scripts + distribute rpms/deb's from our
>>    own site too.
>> 
>>    Should we investigate/try these flags out for the packages we build +
>>    supply?
> 
> At least for the RPMs, we try to follow the Fedora guidelines and their
> standard flags. With recent Fedora releases this includes additional
> hardening flags.
> 
>>  * Are there changes in our code + debugging practises that would be needed
>>    for these security hardening flags to work?
>> 
>>    If there are, and we don't make these changes ourselves, doesn't that
>>    mean we're telling distributions they need to carry their own patch set
>>    in order to have a "more secure" GlusterFS?
> 
> We have received several patches from the Debian maintainer that improve
> the handling of these options. When maintainers for distrubutions build
> GlusterFS and require changes, they either file bugs and/or send
> patches. I think this works quite well.

Thanks Niels.  Sounds like we're already in good shape then. :)

+ Justin

--
GlusterFS - http://www.gluster.org

An open source, distributed file system scaling to several
petabytes, and handling thousands of clients.

My personal twitter: twitter.com/realjustinclift



More information about the Gluster-devel mailing list