linkerd2-proxy

Commit Graph

Author	SHA1	Message	Date
Oliver Gould	f1a89ef953	Add checksec to the release process (#476 ) A recent [Twitter thread][mudge] suggested that tools like [`checksec`][checksec] be used to validate release binaries. Checksec reports whether modern security features like stack canaries are employed. Proxy builds appear to do pretty well out-of-the-box. This change introduces a checksec.sh wrapper that is used by the Makefile during packaging. A new _package_ github action is introduced to provide `checksec` and `jq` dependencies at runtime. (Note: the version of checksec provided by debian does not include JSON output, so it is instead fetched directly from GitHub). During an automated release, the generated checksec is compared to an expected set of values and, if a regression is detected, the release will fail. [mudge]: https://twitter.com/dotMudge/status/1249359519471341569 [checksec]: https://github.com/slimm609/checksec.sh	2020-04-15 09:54:06 -07:00

Author

SHA1

Message

Date

Oliver Gould

f1a89ef953

Add checksec to the release process (#476 )

A recent [Twitter thread][mudge] suggested that tools like
[`checksec`][checksec] be used to validate release binaries. Checksec
reports whether modern security features like stack canaries are
employed. Proxy builds appear to do pretty well out-of-the-box.

This change introduces a checksec.sh wrapper that is used by the
Makefile during packaging. A new _package_ github action is introduced
to provide `checksec` and `jq` dependencies at runtime. (Note: the
version of checksec provided by debian does not include JSON output, so
it is instead fetched directly from GitHub).

During an automated release, the generated checksec is compared to an
expected set of values and, if a regression is detected, the release
will fail.

[mudge]: https://twitter.com/dotMudge/status/1249359519471341569
[checksec]: https://github.com/slimm609/checksec.sh

2020-04-15 09:54:06 -07:00

1 Commits