[arch-dev-public] Changing compilation flags
bpiotrowski at archlinux.org
Sun Jul 2 10:44:46 UTC 2017
On 2017-07-02 00:32, Allan McRae wrote:
> On 02/07/17 06:51, Bartłomiej Piotrowski wrote:
>> On 2017-06-30 23:44, Allan McRae wrote:
>>> On 30/06/17 19:07, Bartłomiej Piotrowski wrote:
>>>> On 2016-10-24 05:56, Allan McRae wrote:
>>>>> 1) building gcc to enable PIE by default
>>>> I am in the middle of rebuilding gcc with --enable-default-pie. When it
>>>> finishes, I will start a todo for rebuilding packages with static libraries.
>>>> I also enabled --enable-default-ssp, which means that
>>>> -fstack-protector-strong will be dropped from our CFLAGS (as it will be
>>>> enforced by gcc) on the next opportunity.
>>> Are you adding full RELRO + no-plt at the same time?
>> Yes, and -fstack-check=specific too, although I might drop no-plt if it
>> will cause too many builders.
> I thought the conclusion from the Stack Clash bugs was that the current
> -fstack-check was fundamentally flawed and was being completely
> rewritten for the next gcc. Is the "=specific" version OK?
Packages described in Qualys' analysis weren't affected if compiled with
'specific'. It's probably not perfect either, but better that than
nothing at all.
More information about the arch-dev-public