[Gluster-devel] Security hardening RELRO & PIE flags

Atin Mukherjee amukherj at redhat.com
Fri Apr 3 12:27:25 UTC 2015 


On 04/02/2015 06:43 PM, Justin Clift wrote:
> On 2 Apr 2015, at 14:08, Niels de Vos <ndevos at redhat.com> wrote:
>> On Thu, Apr 02, 2015 at 01:21:57PM +0100, Justin Clift wrote:
>>> On 31 Mar 2015, at 08:15, Niels de Vos <ndevos at redhat.com> wrote:
>>>> On Tue, Mar 31, 2015 at 12:20:19PM +0530, Kaushal M wrote:
>>>>> IMHO, doing hardening and security should be left the individual
>>>>> distributions and the package maintainers. Generally, each distribution has
>>>>> it's own policies with regards to hardening and security. We as an upstream
>>>>> project cannot decide on what a distribution should do. But we should be
>>>>> ready to fix bugs that could arise when distributions do hardened builds.
>>>>>
>>>>> So, I vote against having these hardening flags added to the base GlusterFS
>>>>> build. But we could add the flags the Fedora spec files which we carry with
>>>>> our source.
>>>>
>>>> Indeed, I agree that the compiler flags should be specified by the
>>>> distributions. At least Fedora and Debian do this already include
>>>> (probably different) options within their packaging scripts. We should
>>>> set the flags we need, but not more. It would be annoying to set default
>>>> flags that can conflict with others, or which are not (yet) available on
>>>> architectures that we normally do not test.
>>>
>>> First thoughts: :)
>>>
>>>  * We provide our own packaging scripts + distribute rpms/deb's from our
>>>    own site too.
>>>
>>>    Should we investigate/try these flags out for the packages we build +
>>>    supply?
>>
>> At least for the RPMs, we try to follow the Fedora guidelines and their
>> standard flags. With recent Fedora releases this includes additional
>> hardening flags.
>>
>>>  * Are there changes in our code + debugging practises that would be needed
>>>    for these security hardening flags to work?
>>>
>>>    If there are, and we don't make these changes ourselves, doesn't that
>>>    mean we're telling distributions they need to carry their own patch set
>>>    in order to have a "more secure" GlusterFS?
>>
>> We have received several patches from the Debian maintainer that improve
>> the handling of these options. When maintainers for distrubutions build
>> GlusterFS and require changes, they either file bugs and/or send
>> patches. I think this works quite well.
> 
> Thanks Niels.  Sounds like we're already in good shape then. :)
Allright. With this I consider there is no need of upstream changes for
this. Thank you all for your insights and feedback.

~Atin
> 
> + Justin
> 
> --
> GlusterFS - http://www.gluster.org
> 
> An open source, distributed file system scaling to several
> petabytes, and handling thousands of clients.
> 
> My personal twitter: twitter.com/realjustinclift
> 
> _______________________________________________
> Gluster-devel mailing list
> Gluster-devel at gluster.org
> http://www.gluster.org/mailman/listinfo/gluster-devel
> 

-- 
~Atin

More information about the Gluster-devel mailing list