1 |
On Tue, Oct 25, 2011 at 1:59 AM, Ryan Hill <dirtyepic@g.o> wrote: |
2 |
> On Mon, 24 Oct 2011 13:26:01 +0200 |
3 |
> ""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote: |
4 |
>> Is it possible to just pass flags to GCC: disable all this hardened |
5 |
>> stuff? I know you can disable stack protector, but how about PIE or PIC, |
6 |
>> and possible other hardening features? |
7 |
> |
8 |
> You might be able to use the GCC_SPECS env var. |
9 |
> |
10 |
> Personally I think this is a lot of work for not much benefit, but if you |
11 |
> want to do it then who am I to argue. |
12 |
|
13 |
Wouldn't the potential benefit to be allowing more hardened flags to |
14 |
go into the default specs so that everybody benefits, but then |
15 |
allowing individual packages to turn them off for compatibility |
16 |
reasons. This would be not unlike what we do with filter-flags for |
17 |
packages that are finicky about optimizations. |
18 |
|
19 |
I'm not suggesting putting flags that break 90% of packages in the |
20 |
defaults. However, right now in the discussion about moving some |
21 |
hardened features to default the sense is that we sacrifice hardening |
22 |
for the sake of package selection, so a flag that breaks 5% of the |
23 |
packages in the tree wouldn't be a good one to enable. However, |
24 |
setting the specs per-package would let you be a little more |
25 |
aggressive since fixing a few odd ebuilds isn't a big deal, as long as |
26 |
the settings don't cause trouble if not enabled system-wide. |
27 |
|
28 |
Rich |