Re: [arch-general] Changing compilation flags
On On Sat, Jul 1, 2017 at 09:54 AM, arch-general <arch- general@archlinux.org> wrote: > >On 2016-10-24 05:56, Allan McRae wrote: > >*> 1) building gcc to enable PIE by default > *> > >I am in the middle of rebuilding gcc with --enable-default-pie. When it > >finishes, I will start a todo for rebuilding packages with static libraries. > > > >I also enabled --enable-default-ssp, which means that > >-fstack-protector-strong will be dropped from our CFLAGS (as it will be > >enforced by gcc) on the next opportunity. > > > >Bartłomiej > > Does the -enable-default-ssp enforce also -fstack-check=specific to protect > from stack clash [1], gentoo do it (except on vlc and tcl which not build > but those are upstream bugs) [2] > > [1] https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash > [2] https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash > > *Pablo Lezaeta* > No it doesn't but original plan [1] was to enable -fstack-check, -fno-plt and -z,now to default flags in makepkg.conf. I hope Pacman maintainer will add those before mass rebuild started so everythig will be done at once. [1] https://lists.archlinux.org/pipermail/arch-dev- public/2016-October/028405.html \-- Sent using MsgSafe.io's Free Plan Private, encrypted, online communication For everyone. https://www.msgsafe.io
On 07/01/2017 06:49 AM, Alexander Harrigan wrote:
On On Sat, Jul 1, 2017 at 09:54 AM, arch-general <arch- general@archlinux.org> wrote:
> >On 2016-10-24 05:56, Allan McRae wrote:
> >*> 1) building gcc to enable PIE by default
> *>
> >I am in the middle of rebuilding gcc with --enable-default-pie. When it
> >finishes, I will start a todo for rebuilding packages with static libraries.
> >
> >I also enabled --enable-default-ssp, which means that
> >-fstack-protector-strong will be dropped from our CFLAGS (as it will be
> >enforced by gcc) on the next opportunity.
> >
> >Bartłomiej
>
> Does the -enable-default-ssp enforce also -fstack-check=specific to protect
> from stack clash [1], gentoo do it (except on vlc and tcl which not build
> but those are upstream bugs) [2]
>
> [1] https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
> [2] https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash
>
> *Pablo Lezaeta*
>
No it doesn't but original plan [1] was to enable -fstack-check, -fno-plt and -z,now to default flags in makepkg.conf. I hope Pacman maintainer will add those before mass rebuild started so everythig will be done at once.
[1] https://lists.archlinux.org/pipermail/arch-dev- public/2016-October/028405.html
\-- Sent using MsgSafe.io's Free Plan Private, encrypted, online communication For everyone. https://www.msgsafe.io
It is extremely hard to keep track of what you wrote here, and what you are quoting from elsewhere (and who and where those quotes come from). Can you please use an email client that actually works? Thanks. -- Eli Schwartz
participants (2)
-
Alexander Harrigan
-
Eli Schwartz