Arch-general

Download

arch-general@lists.archlinux.org

July 2017

77 participants
32 discussions

Re: [arch-general] Changing compilation flags
by Alexander Harrigan 02 Jul '17

02 Jul '17

On On Sat, Jul 1, 2017 at 09:54 AM, arch-general <arch- general(a)archlinux.org> wrote: > >On 2016-10-24 05:56, Allan McRae wrote: > >*> 1) building gcc to enable PIE by default > *> > >I am in the middle of rebuilding gcc with --enable-default-pie. When it > >finishes, I will start a todo for rebuilding packages with static libraries. > > > >I also enabled --enable-default-ssp, which means that > >-fstack-protector-strong will be dropped from our CFLAGS (as it will be > >enforced by gcc) on the next opportunity. > > > >Bartłomiej > > Does the -enable-default-ssp enforce also -fstack-check=specific to protect > from stack clash [1], gentoo do it (except on vlc and tcl which not build > but those are upstream bugs) [2] > > [1] https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash > [2] https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash > > *Pablo Lezaeta* > No it doesn't but original plan [1] was to enable -fstack-check, -fno-plt and -z,now to default flags in makepkg.conf. I hope Pacman maintainer will add those before mass rebuild started so everythig will be done at once. [1] https://lists.archlinux.org/pipermail/arch-dev- public/2016-October/028405.html \-- Sent using MsgSafe.io's Free Plan Private, encrypted, online communication For everyone. https://www.msgsafe.io

2 1

[arch-general] Changing compilation flags
by Pablo Roberto Lezaeta Reyes 01 Jul '17

01 Jul '17

>On 2016-10-24 05:56, Allan McRae wrote: >*> 1) building gcc to enable PIE by default *> >I am in the middle of rebuilding gcc with --enable-default-pie. When it >finishes, I will start a todo for rebuilding packages with static libraries. > >I also enabled --enable-default-ssp, which means that >-fstack-protector-strong will be dropped from our CFLAGS (as it will be >enforced by gcc) on the next opportunity. > >Bartłomiej Does the -enable-default-ssp enforce also -fstack-check=specific to protect from stack clash [1], gentoo do it (except on vlc and tcl which not build but those are upstream bugs) [2] [1] https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash [2] https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash *Pablo Lezaeta*

1 0