2 Jul
2017
2 Jul
'17
4:19 p.m.
Anyway, I think -Wl,-z,now, --enable-default-pie and --enable-default- ssp are a good starting point. Could enable -fstack-check=specific now, but it's not going to save a mass rebuild by doing it now (if the goal is to rebuild everything important with it) because they'll be improving it. Using -fno-plt would be a nice tiny little performance boost at runtime but then it's important to make sure everything is compiled with -Wl,- z,now and there might be programs ignoring LDFLAGS but respecting CFLAGS. Ideally -z now would be the default in the linker first. If we aren't going to patch the default, then I think a configure flag for that needs to land upstream.