1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
|
6 |
Marius Mauch wrote: |
7 |
| On 09/22/04 Mike Frysinger wrote: |
8 |
| |
9 |
| |
10 |
|>On Wednesday 22 September 2004 07:17 pm, Donnie Berkholz wrote: |
11 |
|> |
12 |
|
13 |
[...] |
14 |
|
15 |
|>that said, what needs to be done here in order to get the ball rolling |
16 |
|>? can we simply put together a function in flag-o-matic which will |
17 |
|>check FEATURES and ARCH and gcc, and then just `append-flags |
18 |
|>-fstack-protector` ? then in our system packages, just call this |
19 |
|>function ...-mike |
20 |
| |
21 |
| |
22 |
| What exactly would that FEATURE do ? If it really only affects CFLAGS I |
23 |
| don't see the need for another FEATURE flag at all. We already have ~30 |
24 |
| different flags, please lets try to avoid another USE desaster by not |
25 |
| adding new flags for trivial stuff. |
26 |
| |
27 |
|
28 |
Users could add -fstack-protector for global stack smash protection; |
29 |
what's proposed here is to alter certain packages to use |
30 |
- -fstack-protector based on their risk factor (the proposed measure of |
31 |
risk factor is if they're daemons, or if they're SETUID (chmod +s)). |
32 |
|
33 |
CFLAGS="-fstack-protector" |
34 |
|
35 |
*************************** |
36 |
*_ALL_PACKAGES____________* |
37 |
*__(Stack_Smash_Protected)* |
38 |
*_________________________* |
39 |
*_________________________* |
40 |
*_________________________* |
41 |
*_________________________* |
42 |
*_________________________* |
43 |
*************************** |
44 |
|
45 |
FEATURES="autossp" |
46 |
|
47 |
*************************** |
48 |
*_ALL_PACKAGES____________* |
49 |
*_________________________* |
50 |
*_________________________* |
51 |
****************__________* |
52 |
*_DAEMONS______*__________* |
53 |
*_(Stack_Smash *__________* |
54 |
*___Protected)_*__________* |
55 |
*************************** |
56 |
|
57 |
Does this clearly enough illustrate the difference? Rather than |
58 |
protecting everything including, say, ufed vim and gedit, only the |
59 |
obvious players are given extra padding (it's more like lightweight |
60 |
bioarmor; padding is clunky and reduces dexterity too much). |
61 |
|
62 |
This is easily compared to a football game: FEATURES="autossp" protects |
63 |
the players; while CFLAGS="-fstack-protector" protects the players, |
64 |
referee, cheerleaders, crowd, announcers, and sponsors. It's pretty |
65 |
obvious you don't want two 300 pound giants ramming into each other with |
66 |
no protection; it's not so obvious that the football might get kicked |
67 |
too far and hit someone in the crowd in the jaw. Those that fear this |
68 |
bring their own damn padding. |
69 |
|
70 |
| Marius |
71 |
| |
72 |
|
73 |
- -- |
74 |
All content of all messages exchanged herein are left in the |
75 |
Public Domain, unless otherwise explicitly stated. |
76 |
|
77 |
-----BEGIN PGP SIGNATURE----- |
78 |
Version: GnuPG v1.2.6 (GNU/Linux) |
79 |
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org |
80 |
|
81 |
iD8DBQFBUiw+hDd4aOud5P8RAiEgAJwOnPYfxYacjMvwhWD8JgDL2x4I6ACfZYH2 |
82 |
roG+jaC6Y6eyEMMZH6HTNuI= |
83 |
=Ozj/ |
84 |
-----END PGP SIGNATURE----- |
85 |
|
86 |
-- |
87 |
gentoo-dev@g.o mailing list |