Reorg front of Compiler Options Hardening Guide for clarity #821
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reorganize the front part of the "Compiler Options Hardening Guide for C and C++" for clarity. There is a recent and very interesting post "Mitigating a rsync Vulnerability: A Lesson in Compiler Hardening" by Mark Esler on March 19, 2025 at <https://www.chainguard.dev/unchained/mitigating-a-rsync-vulnerability-a-lesson-in-compiler-hardening> However, that post says "Chainguard implements most recommendations, and takes them a step further by also opting into..." and then adds options that our guidance *specifically* recommends. E.g., it adds `-fPIE` and `-PIC`, `-fsf-protection=full`, and so on. This shows that even smart people who *read* the guidance think that only the list at the top is relevant, and don't even look at the table below it. Let's put the table *immediately* after it, with bolded text to clarify what's meant. In addition, let's add `-Werror` to the table; the text below clarifies things, but if it's not even in the table, readers are likely to miss it. Signed-off-by: David A. Wheeler <[email protected]>
|
@thomasnyman @gkunz - thoughts? |
thomasnyman
approved these changes
Mar 20, 2025
There was a problem hiding this comment.
lgtm, I had the same though while reading Mark's blog post that it gives the impression the Compiler Hardening Guide only covers part of the options Chainguard uses, but we concluded with Mark during today's call that the additions he proposes there were already covered.
|
Great! Mark's post is great, by the way, and it clearly shows that hardening flags can really harden software against attack. It's just that the option flags he specially added were... already in our guidance. I think this relatively small formatting tweak will help people better understand the guidance. |
|
I agree. I'll go ahead and merge this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reorganize the front part of the
"Compiler Options Hardening Guide for C and C++"
for clarity.
There is a recent and very interesting post
"Mitigating a rsync Vulnerability: A Lesson in Compiler Hardening" by Mark Esler on March 19, 2025 at
https://www.chainguard.dev/unchained/mitigating-a-rsync-vulnerability-a-lesson-in-compiler-hardening
However, that post says "Chainguard implements most recommendations, and takes them a step further by also opting into..." and then adds options that our guidance specifically recommends. E.g., it adds
-fPIEand-PIC,-fsf-protection=full, and so on.This shows that even smart people who read the guidance think that only the list at the top is relevant, and don't even look at the table below it.
Let's put the table immediately after it, with bolded text to clarify what's meant. In addition, let's add
-Werrorto the table; the text below clarifies things, but if it's not even in the table, readers are likely to miss it.