 @@ -1,45 +1,39 @@
-# $NetBSD: NEWS,v 1.21 2021/10/10 08:39:40 nia Exp $
+# $NetBSD: NEWS,v 1.22 2021/11/07 11:30:19 nia Exp $
 PKGSRC NEWS
 ===========
   This file contains information about important infrastructural changes in
   pkgsrc. The intended readers are the pkgsrc developers as well as anyone
   tracking pkgsrc-current.
 SHA1 distfile hashes deprecated [nia 2021-10-07]
 	SHA1 hashes have been removed from the pkgsrc tree for
 	distfiles and will now no longer be generated for new
 	packages - only SHA512 and RMD160 will be generated.
 Default Python version changed to 3.9 [nia 2021-10-01]
 Increased enabled-by-default hardening options [nia 2021-09-27]
 	PKGSRC_USE_MKPIE was enabled on some architectures.
 	Packages that provide static libraries to other packages
 	should be rebuilt with MKPIE enabled.
 	Some packages may experience runtime errors on platforms
 	like i386 - usually this is due to unsafe assembly code,
 	which should be disabled when MKPIE is enabled.
 	PKGSRC_USE_RELRO was enabled on some architectures.
 	This should not affect the majority of packages that properly
 	honor CFLAGS/LDFLAGS when building.  Packages experiencing
 	problems loading dynamic ELF plugins at runtime should have
 	RELRO disabled.
 	PKGSRC_USE_SSP was bumped from "yes" to "strong".  This
 	is not expected to have a noticable effect.
 	More information:
 	https://www.NetBSD.org/docs/pkgsrc/hardening.html
 	(or see "Security hardening" section of doc/pkgsrc.txt)
 Default MySQL implementation changed to MariaDB 10.6 [nia 2021-09-27]
 Default PostgreSQL changed to 13 [nia 2021-06-28]
 Default MySQL implementation changed to MariaDB [nia 2021-06-24]

 @@ -1,14 +1,14 @@
-<!-- $NetBSD: hardening.xml,v 1.4 2021/11/02 08:28:45 nia Exp $ -->
+<!-- $NetBSD: hardening.xml,v 1.5 2021/11/07 11:30:19 nia Exp $ -->
 <appendix id="hardening">
 <title>Security hardening</title>
 <para>
 A number of mechanisms are available in pkgsrc to improve the security of the
 resulting system. This page describes the mechanisms, and gives hints
 about detecting and fixing problems.
 </para>
 <para>
 Mechanisms can be enabled individually in
 <filename>mk.conf</filename>, and are
 @@ -133,26 +133,57 @@ exploits harder to construct. With PIE,
 program, instead of the stack and heap only.
 </para>
 <para>
 PIE executables will only be built for toolchains that are known to support PIE.
 Currently, this means NetBSD on x86, ARM, SPARC64, m68k, and MIPS.
 </para>
 <para>
 <varname>PKGSRC_MKPIE</varname> was enabled by default after the pkgsrc-2021Q3 branch.
 </para>
 </sect3>
 <sect2 id="hardening.mechanisms.disabled">
 <title>Not enabled by default</title>
 <sect3 id="hardening.mechanisms.disabled.repro">
 <title>PKGSRC_MKREPRO</title>
 <para>
 With this option, pkgsrc will try to build packages reproducibly. This allows
 packages built from the same tree and with the same options, to produce
 identical results bit by bit. This option should be combined with ASLR and
 <varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for
 attackers attempting to exploit security vulnerabilities.
 </para>
 <para>
 More details can be found here:
 </para>
 <itemizedlist>
 <listitem>
 <para>
 <ulink url="https://reproducible-builds.org/">Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink>
 </para>
 </listitem>
 </itemizedlist>
 <para>
 More work likely needs to be done before pkgsrc is fully reproducible.
 </para>
 </sect3>
 <sect3 id="hardening.mechanisms.enabled.relro">
 <title>PKGSRC_USE_RELRO</title>
 <para>
 This also makes the exploitation of some security vulnerabilities more
 difficult in some cases.
 </para>
 <para>Two different mitigation levels are available:</para>
 <itemizedlist>
 <listitem>
 <para>
 @@ -161,74 +192,44 @@ precede the program's own data sections,
 </para>
 </listitem>
 <listitem>
 <para>
 full: in addition to partial RELRO, every relocation is performed immediately
 when starting the program (with a slight performance impact), allowing the
 entire GOT to be read-only.
 </para>
 </listitem>
 </itemizedlist>
 <para>
 This is currently supported by GCC. Many software distributions now enable this
-feature by default, at the "partial" level.
+feature by default, at the "partial" level. However, it cannot yet be enforced
 globally in pkgsrc through cwrappers.
 </para>
 <para>
 More details can be found here:
 </para>
 <itemizedlist>
 <listitem>
 <para>
 <ulink url="https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro">Hardening ELF binaries using Relocation Read-Only (RELRO)</ulink>
 </para>
 </listitem>
 </itemizedlist>
 </sect3>
 </sect2>
 <sect2 id="hardening.mechanisms.disabled">
 <title>Not enabled by default</title>
 <sect3 id="hardening.mechanisms.disabled.repro">
 <title>PKGSRC_MKREPRO</title>
 <para>
 With this option, pkgsrc will try to build packages reproducibly. This allows
 packages built from the same tree and with the same options, to produce
 identical results bit by bit. This option should be combined with ASLR and
 <varname>PKGSRC_MKPIE</varname> to avoid predictable address offsets for
 attackers attempting to exploit security vulnerabilities.
 </para>
 <para>
 More details can be found here:
 </para>
 <itemizedlist>
 <listitem>
 <para>
 <ulink url="https://reproducible-builds.org/">Reproducible Builds - a set of software development practices that create an independently-verifiable path from source to binary code</ulink>
 </para>
 </listitem>
 </itemizedlist>
 <para>
 More work likely needs to be done before pkgsrc is fully reproducible.
 </para>
 </sect3>
 <sect3 id="hardening.mechanisms.disabled.stackcheck">
 <title>PKGSRC_USE_STACK_CHECK</title>
 <para>
 This uses <literal>-fstack-check</literal> with GCC for
 another stack protection mitigation.
 </para>
 <para>
 It asks the compiler to generate code verifying that it does not corrupt the
 stack. According to GCC's manual page, this is really only useful for
 multi-threaded programs.
 </para>