[Nix-dev] Hardening flags enabled by default

Thomas Hunger tehunger at gmail.com
Mon Aug 22 14:36:45 CEST 2016


Thank you so much! I've been running a staging server on this branch for a
few weeks and all of the issues I had were addressed in your branch before
I had time to flag them.

This is really fantastic work not just for my servers but also for my
ability to argue that NixOS has a story for security.

Lastly I also think that it's an amazing testament to the leverage Nix
provides that a small group of dedicated people can harden so many packages
with a few months of work (not downplaying the work involved!).

~

On 22 August 2016 at 12:31, Franz Pletz <fpletz at fnordicwalking.de> wrote:

> Hi,
>
> yesterday the hardening-stdenv branch was merged to staging and is
> slated to hit master soon. Here is the pull requests with lots of
> comments: https://github.com/NixOS/nixpkgs/pull/12895
>
> This is a work globin and myself did for the last 6 months. We have
> been running that branch on our laptops and on production servers for
> months now and fixed many compilation and runtime errors in the
> process. We think it is ready now and should be included in he upcoming
> 16.09 release.
>
> For background information and how to fix your packages if they fail
> now (i.e. runtime errors we didn't catch), we have written documentation
> that is available in the nixpkgs manual:
>
>   https://hydra.nixos.org/build/38504599/download/1/nixpkgs/
> manual.html#sec-hardening-in-nixpkgs
>
> If you package new software and encounter unexpected compiler errors,
> chances are you hit some problem with a hardening flag. In the manual
> you will find the compiler errors we have encountered most of the time
> for every hardening flag.
>
> Should you encounter problems or have any other issues with the
> hardening flags, please open an issue in the nixpkgs repo and ping
> @globin and @fpletz. We have to fix those before 16.09. ;)
>
> Cheers,
> Franz
>
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20160822/f8d4c193/attachment.html>


More information about the nix-dev mailing list