This has been discussed a couple of times previously on the mailing lists and there were no objections so I have finally gotten around to adding some hardening options to our CFLAGS/LDFLAGS. With pacman-3.5.4-4 the defaults in makepkg.conf become: CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu" As discussed previously, the addition of -Wl,-O1,--sort-common to LDFLAGS is not hardening... but these are safe options and they do appear to more than counter the slight overhead that stack smashing protection adds. These are all fairly standard flags being used to build the major distros these days (other distros patch their toolchain to make these the default), so there should be few issues. Probably the only thing to watch out for is to disable them when building bootloaders. The toolchain and all its (real) dependencies has been rebuilt with these flags and the necessary adjustments made to the packages. See notes below: All toolchain dependencies (just rebuilds): cloog-0.16.2-2 gmp-5.0.2-3 isl-0.06-2 libmpc-0.9-2 mpfr-3.0.1.p4-2 ppl-0.11.2-2 zlib-1.2.5-4 Toolchain components: linux-api-headers-3.0.1-1 (upstream update) binutils-2.21.1-2 gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags) glibc-2.14-5 (do not build libraries with hardening flags) I intend to leave this in [testing] for a couple of weeks to make sure there are no issues. I have been running this locally for about a week and am fairly sure I have the kinks worked out now... I will call for the sign-off later. Allan