[arch-dev-public] New CFLAGS/LDFLAGS plus complete toolchain rebuild

Allan McRae allan at archlinux.org
Sun Aug 14 07:42:37 EDT 2011

This has been discussed a couple of times previously on the mailing 
lists and there were no objections so I have finally gotten around to 
adding some hardening options to our CFLAGS/LDFLAGS.  With 
pacman-3.5.4-4 the defaults in makepkg.conf become:

CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector 
--param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"

As discussed previously, the addition of -Wl,-O1,--sort-common to 
LDFLAGS is not hardening... but these are safe options and they do 
appear to more than counter the slight overhead that stack smashing 
protection adds.

These are all fairly standard flags being used to build the major 
distros these days (other distros patch their toolchain to make these 
the default), so there should be few issues.   Probably the only thing 
to watch out for is to disable them when building bootloaders.

The toolchain and all its (real) dependencies has been rebuilt with 
these flags and the necessary adjustments made to the packages.  See 
notes below:

All toolchain dependencies (just rebuilds):

Toolchain components:
  linux-api-headers-3.0.1-1  (upstream update)
  gcc{,-libs}-4.6.1-3  (do not build libssp with hardening flags)
  glibc-2.14-5  (do not build libraries with hardening flags)

I intend to leave this in [testing] for a couple of weeks to make sure 
there are no issues.  I have been running this locally for about a week 
and am fairly sure I have the kinks worked out now...  I will call for 
the sign-off later.


More information about the arch-dev-public mailing list