A number of changes on the horizon
Today the use of SSP is default for everything. The RPM %optflags macro now calls -fstack-protector –param=ssp-buffer-size=4, so everything will contain it. Packages that cannot use SSP for one reason or another can add “%define _ssp_cflags %nil” at the beginning of the spec file.
Glibc 2.5 works and seems to work well.
For a while, we’ve stored documentation from RPM packages in their own foo-doc package, which is available in it’s own repository. Those packages are getting a further refinement now in that documentation will be stored in /usr/share/doc/foo rather than /usr/share/doc/foo-1.0 (the version is being dropped).
There is discussion of possible moving from the 2.6.16 kernel to 2.6.22 (although this still needs to be fully determined).
Work has begun to integrate AppArmor profiles into the packages that need them, and to automatically reload profiles as they are updated, if AppArmor is running. This will take some time to fully accomplish, and anyone interested in helping generate profiles, the help would be welcome.
I think, with all of this, we might be jumping from 2.0-RELEASE to 3.0-RELEASE after all. It’s shaping up to be quite a big change. =) It’s also shaping up to be a welcome change. With SSP enabled by default, we’re (finally) back to where we were at with 1.0-RELEASE. And with AppArmor now being installed and enabled by default, and with default profiles in place, Annvix should come very hardened out-of-the-box.
As an aside, some of this is happening on the Mandriva side, so Annvix<->Mandriva integration is paying off. Hopefully some more stuff from Annvix will make it’s way into Mandriva (I’m thinking Openwall’s TCB suite and pam_passwdqc). Already the work done in integrating AppArmor in Annvix has paved the way a bit for Mandriva’s adoption, which is fantastic to see.
