[arch-dev-public] hardening-wrapper
Hi, I was quite surprised today that gcc suddenly started defaulting to -fstack-check. After some confusion and a bit of exploration, it turned out that hardening-wrapper, which came as a makedep with python, was responsible. It is quite unfortunate that hardening-wrapper unexpectedly alters system-wide compiler behavior. In addition, since makepkg layers ccache in front of hardening-wrapper, ccache will now miss compiler updates. IMO it should be a makedepend on any package. If we want to harden our packages we can do this via makepkg.conf or adjusting CFLAGS in the PKGBUILD, not supposedly-per-package system-wide hacks. Thoughts? Greetings, Jan
On 15/09/15 08:26 AM, Jan Alexander Steffens wrote:
Hi,
I was quite surprised today that gcc suddenly started defaulting to -fstack-check. After some confusion and a bit of exploration, it turned out that hardening-wrapper, which came as a makedep with python, was responsible.
It is quite unfortunate that hardening-wrapper unexpectedly alters system-wide compiler behavior.
In addition, since makepkg layers ccache in front of hardening-wrapper, ccache will now miss compiler updates.
IMO it should be a makedepend on any package. If we want to harden our packages we can do this via makepkg.conf or adjusting CFLAGS in the PKGBUILD, not supposedly-per-package system-wide hacks. Thoughts?
Greetings, Jan
It's currently necessary to use PIE (ASLR) because you need different switches for building / linking executables and shared libraries. The secondary reason for it existing is to work around build systems not respecting CFLAGS/LDFLAGS (many of them). It would be great if they were all fixed, but it's unrealistic. It's only system-wide without devtools. It was done this was because my attempt to get makepkg to support this (as rpm/dpkg do on other distributions) didn't pan out.
participants (2)
-
Daniel Micay
-
Jan Alexander Steffens