On 2 Apr 2015, at 14:08, Niels de Vos <ndevos@xxxxxxxxxx> wrote: > On Thu, Apr 02, 2015 at 01:21:57PM +0100, Justin Clift wrote: >> On 31 Mar 2015, at 08:15, Niels de Vos <ndevos@xxxxxxxxxx> wrote: >>> On Tue, Mar 31, 2015 at 12:20:19PM +0530, Kaushal M wrote: >>>> IMHO, doing hardening and security should be left the individual >>>> distributions and the package maintainers. Generally, each distribution has >>>> it's own policies with regards to hardening and security. We as an upstream >>>> project cannot decide on what a distribution should do. But we should be >>>> ready to fix bugs that could arise when distributions do hardened builds. >>>> >>>> So, I vote against having these hardening flags added to the base GlusterFS >>>> build. But we could add the flags the Fedora spec files which we carry with >>>> our source. >>> >>> Indeed, I agree that the compiler flags should be specified by the >>> distributions. At least Fedora and Debian do this already include >>> (probably different) options within their packaging scripts. We should >>> set the flags we need, but not more. It would be annoying to set default >>> flags that can conflict with others, or which are not (yet) available on >>> architectures that we normally do not test. >> >> First thoughts: :) >> >> * We provide our own packaging scripts + distribute rpms/deb's from our >> own site too. >> >> Should we investigate/try these flags out for the packages we build + >> supply? > > At least for the RPMs, we try to follow the Fedora guidelines and their > standard flags. With recent Fedora releases this includes additional > hardening flags. > >> * Are there changes in our code + debugging practises that would be needed >> for these security hardening flags to work? >> >> If there are, and we don't make these changes ourselves, doesn't that >> mean we're telling distributions they need to carry their own patch set >> in order to have a "more secure" GlusterFS? > > We have received several patches from the Debian maintainer that improve > the handling of these options. When maintainers for distrubutions build > GlusterFS and require changes, they either file bugs and/or send > patches. I think this works quite well. Thanks Niels. Sounds like we're already in good shape then. :) + Justin -- GlusterFS - http://www.gluster.org An open source, distributed file system scaling to several petabytes, and handling thousands of clients. My personal twitter: twitter.com/realjustinclift _______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
