On 04/02/2015 06:43 PM, Justin Clift wrote: > On 2 Apr 2015, at 14:08, Niels de Vos <ndevos@xxxxxxxxxx> wrote: >> On Thu, Apr 02, 2015 at 01:21:57PM +0100, Justin Clift wrote: >>> On 31 Mar 2015, at 08:15, Niels de Vos <ndevos@xxxxxxxxxx> wrote: >>>> On Tue, Mar 31, 2015 at 12:20:19PM +0530, Kaushal M wrote: >>>>> IMHO, doing hardening and security should be left the individual >>>>> distributions and the package maintainers. Generally, each distribution has >>>>> it's own policies with regards to hardening and security. We as an upstream >>>>> project cannot decide on what a distribution should do. But we should be >>>>> ready to fix bugs that could arise when distributions do hardened builds. >>>>> >>>>> So, I vote against having these hardening flags added to the base GlusterFS >>>>> build. But we could add the flags the Fedora spec files which we carry with >>>>> our source. >>>> >>>> Indeed, I agree that the compiler flags should be specified by the >>>> distributions. At least Fedora and Debian do this already include >>>> (probably different) options within their packaging scripts. We should >>>> set the flags we need, but not more. It would be annoying to set default >>>> flags that can conflict with others, or which are not (yet) available on >>>> architectures that we normally do not test. >>> >>> First thoughts: :) >>> >>> * We provide our own packaging scripts + distribute rpms/deb's from our >>> own site too. >>> >>> Should we investigate/try these flags out for the packages we build + >>> supply? >> >> At least for the RPMs, we try to follow the Fedora guidelines and their >> standard flags. With recent Fedora releases this includes additional >> hardening flags. >> >>> * Are there changes in our code + debugging practises that would be needed >>> for these security hardening flags to work? >>> >>> If there are, and we don't make these changes ourselves, doesn't that >>> mean we're telling distributions they need to carry their own patch set >>> in order to have a "more secure" GlusterFS? >> >> We have received several patches from the Debian maintainer that improve >> the handling of these options. When maintainers for distrubutions build >> GlusterFS and require changes, they either file bugs and/or send >> patches. I think this works quite well. > > Thanks Niels. Sounds like we're already in good shape then. :) Allright. With this I consider there is no need of upstream changes for this. Thank you all for your insights and feedback. ~Atin > > + Justin > > -- > GlusterFS - http://www.gluster.org > > An open source, distributed file system scaling to several > petabytes, and handling thousands of clients. > > My personal twitter: twitter.com/realjustinclift > > _______________________________________________ > Gluster-devel mailing list > Gluster-devel@xxxxxxxxxxx > http://www.gluster.org/mailman/listinfo/gluster-devel > -- ~Atin _______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
