On 25/12/14 07:56 PM, Allan McRae wrote:
I'd guess it has a good change to be included in gcc-5.0. If it gets committed I can backport immediately.
I am not in favour of using the hardening script because I don't find it adheres to what we consider KISS.
I can understand that. It works the same way as ccache/distcc though, which have integration in makepkg via PATH injection. It's an ugly hack, but it's not the only place it's used and I think the practical benefit of enforcing hardening flags outweighs the loss of purity. I could file a few hundred bugs on our tracker for packages ignoring LDFLAGS, but it's going to take a lot of effort to do the same for CFLAGS because of false positives. I'll start doing that if it's the only option but I don't think anyone - myself or the packagers - is going to be very happy about it. The lack of ASLR is very disappointing, because it's so easy to enable it and there aren't tangible drawbacks. It's a very difficult obstacle to overcome in most cases too. I can't recommend that anyone who cares about their security and privacy use a distribution without it. It's even enabled across the board on Windows, OS X and Android... I think that's a pretty high cost to pay for a sense of purity. I'll continue waiting to see what happens with the GCC patches but I'm not too optimistic about that. The reasoning behind the rejection of the past bugs / patches was primarily that this should be handled in autotools (ignoring that most projects don't use it) and that still applies to this attempt.
Our build system is supposed to be simple and entirely transparent when looking at the PKGBUILD and default makepkg.conf. Any user can run "abs" and "makepkg" and get (roughly) the same package.
It's still just as reproducible. A user may have a different version or configuration of GCC. The hardening-wrapper package exists so users may have it installed, whether or not it's pulled in by default. The best you can get to a reproducible build is by using devtools but even that is going to pull in the current set of packages rather than whatever the packager used. There are many packages that don't build anymore.