On 2017-07-02 00:32, Allan McRae wrote:
On 02/07/17 06:51, Bartłomiej Piotrowski wrote:
On 2017-06-30 23:44, Allan McRae wrote:
On 30/06/17 19:07, Bartłomiej Piotrowski wrote:
On 2016-10-24 05:56, Allan McRae wrote:
1) building gcc to enable PIE by default
I am in the middle of rebuilding gcc with --enable-default-pie. When it finishes, I will start a todo for rebuilding packages with static libraries.
I also enabled --enable-default-ssp, which means that -fstack-protector-strong will be dropped from our CFLAGS (as it will be enforced by gcc) on the next opportunity.
Are you adding full RELRO + no-plt at the same time?
A
Yes, and -fstack-check=specific too, although I might drop no-plt if it will cause too many builders.
I thought the conclusion from the Stack Clash bugs was that the current -fstack-check was fundamentally flawed and was being completely rewritten for the next gcc. Is the "=specific" version OK?
Packages described in Qualys' analysis weren't affected if compiled with 'specific'. It's probably not perfect either, but better that than nothing at all. Bartłomiej