Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes.
Date: Thu, 09 Jan 2014 23:28:53
Message-Id: 52CF30B2.9090502@gentoo.org
In Reply to: Re: [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes. by "Rick \\\"Zero_Chaos\\\" Farina"
1 On 01/09/2014 06:13 PM, Rick "Zero_Chaos" Farina wrote:
2 > -----BEGIN PGP SIGNED MESSAGE-----
3 > Hash: SHA1
4 >
5 > On 01/09/2014 06:01 PM, Anthony G. Basile wrote:
6 >> On 01/09/2014 05:21 PM, Michał Górny wrote:
7 >>> Dnia 2014-01-09, o godz. 17:06:52
8 >>> "Anthony G. Basile" <blueness@g.o> napisał(a):
9 >>>
10 >>>> On 01/09/2014 04:57 PM, Pacho Ramos wrote:
11 >>>>> What are the advantages of disabling SSP to deserve that "special"
12 >>>>> handling via USE flag or easily disabling it appending the flag?
13 >>>> There are some cases where ssp could break things. I know of once case
14 >>>> right now, but its somewhat exotic. Also, sometimes we *want* to break
15 >>>> things for testing. I'm thinking here of instance where we want to test
16 >>>> a pax hardened kernel to see if it catches abuses of memory which would
17 >>>> otherwise be caught by executables emitted from a hardened toolchain.
18 >>>> Take a look at the app-admin/paxtest suite.
19 >>> Just to be clear, are we talking about potential system-wide breakage
20 >>> or single, specific packages being broken by SSP? In other words, are
21 >>> there cases when people will really want to disable SSP completely?
22 >>>
23 >>> Unless I'm misunderstanding something, your examples sound like you
24 >>> just want -fno-stack-protector per-package. I don't really think you
25 >>> actually want to rebuild whole gcc just to do some testing on a single
26 >>> package...
27 >>>
28 >> Correct, you'd only want to turn off ssp per package and then only in
29 >> rare cases. You should never have to rebuild gcc for this. With ssp on
30 >> by default, gcc specs would add -fstack-protector to all builds. If you
31 >> don't want a package build with ssp, then just do
32 >> CFLAGS="-fno-stack-protector" and you're building without ssp.
33 >>
34 > This reads very much like "the nossp use flag is useless".
35 >
36 I was not referring to the nossp flag. I was simply answering Michał's
37 concern about ssp and system wide breakage. My point is that ssp on by
38 default will NOT lead to system wide breakage, only per package and then
39 only very very rarely.
40
41 --
42 Anthony G. Basile, Ph.D.
43 Gentoo Linux Developer [Hardened]
44 E-Mail : blueness@g.o
45 GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
46 GnuPG ID : F52D4BBA
Report Message
Find on MARC Find on Google Groups