On 2 February 2017 at 15:28, Georg Koppen gk@torproject.org wrote:
Hi all,
a while ago a ticket about renaming our "hardened" series got filed[1]. There, it is argued we should think about renaming the hardened series to something else as it is probably not as hardened as one would expect and thus misleading our users. Especially shipping that build with Address Sanitizer (ASan) enabled caused some folks to point out that ASan is mainly a debugging tool (which the other goal of the hardened series is) which is very likely at odds with the hardened aspect of the series.
While I still stand to the things we said in our blog post[2] back then when we introduced the hardened series I am fine with picking this discussion up right now and moving on to a decision. The reason for that is that we have Yawning Angel's sandboxed Tor Browser which achieves the goal of preventing harm from our users much better than the hardened aspect of our hardened series could ever do. Moreover, selfrando, one of the noteworthy aspects of our hardened series, is about to get shipped in our regular alphas. If all goes well it will be available in 7.0a2.
So, things we need to decide are
- What do we want to do with our hardened series? Should we rename it
to "debug series" or something similar?
- Should we expose the renamed thing to the general public as an own,
new series or should we just ship the means to create a debugging build whenever we need one?
- What should we do with users already being on the hardened update
channel? Should they get moved to our alpha channel with some notice?
or maybe some fourth or fifth item rendering 1)-3) moot but which I did not come up with?
I have a question about ASAN. Why do we release it? Is it because we think it can sometimes provide security? Or is it for the purposes of debugging? If it's for debugging, do we --enable-debug and --disable-optimize on this build and any other debugging stuff?
It's my hope that we will, in the next year, be able to ship more hardening features on more platforms. Adding in CFI for Linux and Mac; and CFG for Windows. There's jemalloc redzones (are those going in hardened, alpha, or release?)
Will these go into Alpha with the goal of getting them to release? And it would be awesome to move to a 64bit version for Windows. (I'm unclear why we have a 32 bit linux version actually; and when we get a 64 bit Windows version why we would keep a 32 bit version.
I guess what I'm trying to figure out is: if we aggressively move all hardening features we can into Alpha and then release; either the 'Hardened' version is really a Pre-Alpha (with ASAN for catching more bugs) or it's a Debug version. If it's pre-alpha, cool, let's make an alpha, beta, and release channel. If it's Debug, cool, it's Debug. =)
And all of these are separate from Yawning's Sandboxed version
-tom