[arch-dev-public] [PATCH 2/2] makepkg.conf: Update our default FLAGS

Fri Jul 10 18:38:17 UTC 2020

From: "Jan Alexander Steffens (heftig)" <heftig at archlinux.org>

I recently read [Fedora's documentation on build flags][1] and I think
they have some useful ideas.

1. Move -D_FORTIFY_SOURCE=2 from CPPFLAGS to CFLAGS using -Wp:
   Unfortunately, there are still build systems (e.g. CMake, homegrown
   Makefile rules) which use CFLAGS but not CPPFLAGS. Ultimately, we can
   cover more code with this workaround.

2. -fexceptions:
   Slight hardening of C programs making use of automatic variable
   cleanup or pthread_cancel. Cost should be negligible.

3. -fstack-clash-protection:
   Hardening of large stack allocations. Cost should be negigible.

   We need to patch clang to ignore this, like we once did for -fno-plt.

4. -fcf-protection:
   Hardening which makes code compatible with Intel CET. Increases code
   size a bit but cost should be negligible.

   No processors supporting it are available yet, but the linker only
   marks binaries for CET when all code is compatible, so we could get a
   head-start on this.

5. -fasynchronous-unwind-tables:
   Generates DWARF unwinding information that doesn't get stripped.
   Increases binary size a bit.

   Should make sure tools like perf and gdb can unwind the stack
   completely even without debug symbols. This makes the debugger more
   useful if you only have debug symbols for some frames, since frames
   without symbols can no longer break unwinding.

6. -Wp,-D_GLIBCXX_ASSERTIONS:
   Enables some assertions in libstdc++. Hardening similar to
   _FORTIFY_SOURCE.

7. -grecord-gcc-switches:
   Useful information to record. But since we don't use `debug` yet,
   won't affect us much.

[1]: https://src.fedoraproject.org/rpms/redhat-rpm-config/blob/master/f/buildflags.md
---
 PKGBUILD     |  2 +-
 makepkg.conf | 12 +++++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/PKGBUILD b/PKGBUILD
index 846a970..ed1d492 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -27,7 +27,7 @@ source=(https://sources.archlinux.org/other/pacman/$pkgname-$pkgver.tar.gz{,.sig
 sha256sums=('bb201a9f2fb53c28d011f661d50028efce6eef2c1d2a36728bdd0130189349a0'
             'SKIP'
             '3353f363088c73f1f86a890547c0f87c7473e5caf43bbbc768c2e9a7397f2aa2'
-            'd113252f97f019a13541237a4f4c7fbe9ffd0c3e71ecd7cd8d5d227b378819ab')
+            '3818559af64c11d9cda127ae75e48e5f8780bbe71513f5a3c484c38eb16a2b71')
 
 
 build() {
diff --git a/makepkg.conf b/makepkg.conf
index a277503..c8c917e 100644
--- a/makepkg.conf
+++ b/makepkg.conf
@@ -36,16 +36,18 @@ CARCH="x86_64"
 CHOST="x86_64-pc-linux-gnu"
 
 #-- Compiler and Linker Flags
-CPPFLAGS="-D_FORTIFY_SOURCE=2"
-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt"
-CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt"
+#CPPFLAGS=""
+CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -fexceptions \
+        -fstack-clash-protection -fcf-protection -fasynchronous-unwind-tables \
+        -Wp,-D_FORTIFY_SOURCE=2,-D_GLIBCXX_ASSERTIONS"
+CXXFLAGS="$CFLAGS"
 LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
 #RUSTFLAGS="-C opt-level=2"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
 #-- Debugging flags
-DEBUG_CFLAGS="-g -fvar-tracking-assignments"
-DEBUG_CXXFLAGS="-g -fvar-tracking-assignments"
+DEBUG_CFLAGS="-g -grecord-gcc-switches -fvar-tracking-assignments"
+DEBUG_CXXFLAGS="-g -grecord-gcc-switches -fvar-tracking-assignments"
 #DEBUG_RUSTFLAGS="-C debuginfo=2"
 
 #########################################################################
-- 
2.27.0
