[arch-dev-public] hardening-wrapper
Daniel Micay
danielmicay at gmail.com
Tue Sep 15 19:01:52 UTC 2015
On 15/09/15 08:26 AM, Jan Alexander Steffens wrote:
> Hi,
>
> I was quite surprised today that gcc suddenly started defaulting to
> -fstack-check. After some confusion and a bit of exploration, it turned out
> that hardening-wrapper, which came as a makedep with python, was
> responsible.
>
> It is quite unfortunate that hardening-wrapper unexpectedly alters
> system-wide compiler behavior.
>
> In addition, since makepkg layers ccache in front of hardening-wrapper,
> ccache will now miss compiler updates.
>
> IMO it should be a makedepend on any package. If we want to harden our
> packages we can do this via makepkg.conf or adjusting CFLAGS in the
> PKGBUILD, not supposedly-per-package system-wide hacks. Thoughts?
>
> Greetings,
> Jan
It's currently necessary to use PIE (ASLR) because you need different
switches for building / linking executables and shared libraries. The
secondary reason for it existing is to work around build systems not
respecting CFLAGS/LDFLAGS (many of them). It would be great if they were
all fixed, but it's unrealistic.
It's only system-wide without devtools. It was done this was because my
attempt to get makepkg to support this (as rpm/dpkg do on other
distributions) didn't pan out.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20150915/6592b6d9/attachment.asc>
More information about the arch-dev-public
mailing list