I've recently noticed the news about CC-rc1 being released and in the changelog there was a paragraph about some new security features. In particular it is claimed that there is a new package signing architecture, support for (chroot) jails and support for hardened builds. Normally I love hearing about new security features being implemented, but I've got some questions about them and the roadmap because the information is rather scarce.
News post: https://forum.openwrt.org/viewtopic.php?id=57453
* Improved Security Features
- Rewritten package signing architecture based on ed25519
- Added support for jails
- Added support for hardened builds
So if I understand this correctly, OpenWRT will finally add support for package signing so that whenever an update is performed via opkg, we can be sure that the downloaded packages are in fact authentic? How are the hardened builds going to work? Will we have to build all packages ourselves with some added compiler options or will there be a repository for hardened packages? And what hardening features does this build bring - stack/heap canaries, ASLR, DEP/NX/XD, RBAC, etc - is there a list?
Thanks!