| 1 |
On Sat, 07 Sep 2013 19:08:57 -0400 |
| 2 |
"Rick \"Zero_Chaos\" Farina" <zerochaos@g.o> wrote: |
| 3 |
|
| 4 |
> Personally I think this would be a great stepping stone. If we add |
| 5 |
> - -fstack-protector to 4.8.1 it will improve security (only a little I |
| 6 |
> know) and give us an idea of what issues we may have. After a short |
| 7 |
> enjoyment of fixing any issues which come up we could more to |
| 8 |
> - -fstack-protector-strong in 4.9. |
| 9 |
|
| 10 |
Okay it won't be available for 4.8.1. It's going to require a couple minor |
| 11 |
glibc changes and a lot of testing. A bunch of packages stick workarounds |
| 12 |
behind a hardened USE flag or do things like `filter-flags -fstack-protector` |
| 13 |
which don't actually work (we have to patch the compiler, not just add it to |
| 14 |
the default flags in the profiles or something). I need to check the |
| 15 |
interactions with hardened's spec files. And I need to get 4.8.1 out the door |
| 16 |
two weeks ago. Once we fix the fallout from the unmasking I'll get back to this. |
| 17 |
|
| 18 |
I also want to make a comment on the implications of this change that people |
| 19 |
may not have considered. Bugs caused by -fstack-protector can no longer be |
| 20 |
just dismissed as unsupported, invalid, or assigned to the hardened team and |
| 21 |
forgotten about. You will be expected to fix them, and `append-flags |
| 22 |
-fno-stack-protector` is not an acceptable fix. You can't champion for more |
| 23 |
secure defaults and then just disable them when they get in your way. |
| 24 |
|
| 25 |
So does anyone have any objections to making -fstack-protector the default? |
| 26 |
Now is the time to speak up. |
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
(and for the record I've changed my mind and would like to see this go forward, |
| 31 |
so please stop emailing me) |
| 32 |
|
| 33 |
|
| 34 |
-- |
| 35 |
Ryan Hill psn: dirtyepic_sk |
| 36 |
gcc-porting/toolchain/wxwidgets @ gentoo.org |
| 37 |
|
| 38 |
47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 |
Archives