| 1 |
On Tue, Oct 25, 2011 at 1:59 AM, Ryan Hill <dirtyepic@g.o> wrote: |
| 2 |
> On Mon, 24 Oct 2011 13:26:01 +0200 |
| 3 |
> ""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote: |
| 4 |
>> Is it possible to just pass flags to GCC: disable all this hardened |
| 5 |
>> stuff? I know you can disable stack protector, but how about PIE or PIC, |
| 6 |
>> and possible other hardening features? |
| 7 |
> |
| 8 |
> You might be able to use the GCC_SPECS env var. |
| 9 |
> |
| 10 |
> Personally I think this is a lot of work for not much benefit, but if you |
| 11 |
> want to do it then who am I to argue. |
| 12 |
|
| 13 |
Wouldn't the potential benefit to be allowing more hardened flags to |
| 14 |
go into the default specs so that everybody benefits, but then |
| 15 |
allowing individual packages to turn them off for compatibility |
| 16 |
reasons. This would be not unlike what we do with filter-flags for |
| 17 |
packages that are finicky about optimizations. |
| 18 |
|
| 19 |
I'm not suggesting putting flags that break 90% of packages in the |
| 20 |
defaults. However, right now in the discussion about moving some |
| 21 |
hardened features to default the sense is that we sacrifice hardening |
| 22 |
for the sake of package selection, so a flag that breaks 5% of the |
| 23 |
packages in the tree wouldn't be a good one to enable. However, |
| 24 |
setting the specs per-package would let you be a little more |
| 25 |
aggressive since fixing a few odd ebuilds isn't a big deal, as long as |
| 26 |
the settings don't cause trouble if not enabled system-wide. |
| 27 |
|
| 28 |
Rich |
Archives