[arch-dev-public] Changing compilation flags

Bartłomiej Piotrowski bpiotrowski at archlinux.org
Sun Jul 2 10:44:46 UTC 2017


On 2017-07-02 00:32, Allan McRae wrote:
> On 02/07/17 06:51, Bartłomiej Piotrowski wrote:
>> On 2017-06-30 23:44, Allan McRae wrote:
>>> On 30/06/17 19:07, Bartłomiej Piotrowski wrote:
>>>> On 2016-10-24 05:56, Allan McRae wrote:
>>>>> 1) building gcc to enable PIE by default
>>>>
>>>> I am in the middle of rebuilding gcc with --enable-default-pie. When it
>>>> finishes, I will start a todo for rebuilding packages with static libraries.
>>>>
>>>> I also enabled --enable-default-ssp, which means that
>>>> -fstack-protector-strong will be dropped from our CFLAGS (as it will be
>>>> enforced by gcc) on the next opportunity.
>>>>
>>>
>>> Are you adding full RELRO + no-plt at the same time?
>>>
>>> A
>>>
>>
>> Yes, and -fstack-check=specific too, although I might drop no-plt if it
>> will cause too many builders.
>>
> 
> I thought the conclusion from the Stack Clash bugs was that the current
> -fstack-check was fundamentally flawed and was being completely
> rewritten for the next gcc.  Is the "=specific" version OK?
> 

Packages described in Qualys' analysis weren't affected if compiled with
'specific'. It's probably not perfect either, but better that than
nothing at all.

Bartłomiej


More information about the arch-dev-public mailing list