1 |
Ok, it looks like you probably merged 3.2.2-r3 before we added |
2 |
propolice there, so you'll need to recompile that. |
3 |
|
4 |
just rsync and try to emerge it, those digests are a bit flakey |
5 |
but it eventually works (we are working on this) |
6 |
|
7 |
also, the correct CFLAG to use is "-fstack-protector" nothing |
8 |
else will work. |
9 |
|
10 |
if you want a stack protected Xfree you *must* install xfree-4.3.0-r2 |
11 |
(it's masked for testing), it's the only one with the patches required |
12 |
to work with propolice. If you find any other apps that break with |
13 |
propolice please write us a bug and assign it to "hardened@g.o" |
14 |
|
15 |
Thanks.. |
16 |
|
17 |
|
18 |
Joshua Brindle |
19 |
|
20 |
>>> Boyd Waters <bwaters+kde@××××××××.edu> 04/10/03 09:43PM >>> |
21 |
Joshua: |
22 |
|
23 |
Thanks again for making this happen with GCC-3.2.2... |
24 |
|
25 |
My previous post was unclear, so here's another try: although portage/ebuild |
26 |
on my system thought that gcc-3.2.2-r3 was already merged, the gcc-3.2.2 that |
27 |
I had did not have the patches applied. |
28 |
|
29 |
I suspect that I injected -r3 to aviod a large ebuild in the middle of some |
30 |
other world updates this past weekend... let me check... hmm, no, I installed |
31 |
3.2.2-r3 on March 16th, in the course of an enormous world update (39 |
32 |
pacakges)... so I think that it was emerged normally... but I can't be |
33 |
certain, and "inject" is the sort of thing that I would do! |
34 |
|
35 |
So I thought that I had 3.2.2-r3 installed, so I tried to add -fstack-protect |
36 |
to my CFLAGS. The first time I tried to build something after that, cc1 died |
37 |
with an "unrecognized flag" error complaining about this... and a |
38 |
gcc --version reported NO indication of propolice. |
39 |
|
40 |
Hmmm... I performed "ebuild /usr/portage/sys-devel/gcc/gcc-3.2.2-r3.ebuild" |
41 |
and that's when I started getting the complaints about missing patch distros. |
42 |
But "emerge --fetchonly" or "ebuild ... fetch" would NOT retrieve the files. |
43 |
|
44 |
I was able to emerge the -r3 package just fine after I pulled the two |
45 |
offending patch tarballs manually: it built without a hitch, and I been |
46 |
building kdebase-3.1.1a all evening with it, with -fstack-protect in the |
47 |
CFLAGS. |
48 |
|
49 |
I would rather not chase this one too much. I strongly suspect user error |
50 |
(me) -- in that I might have injected the -r3, thinking that it was just a |
51 |
"tip" build (no significant changes) -- and unmerging gcc to re-merge the |
52 |
package "clean" is rather frought. |
53 |
|
54 |
I have a VMWare image of a "clean", from-stage1-image that I'm tinkering |
55 |
with, building up a clone of my everyday system from a bare system by |
56 |
indentifying the packages that I use and only installing those. So maybe next |
57 |
week I will take the time to install gcc-3.2.2-r3 on a "clean" system; |
58 |
hopefully I will be able to report my results of building an entire system |
59 |
with no-stack-smashing in about ten days! |
60 |
|
61 |
-- boyd |
62 |
|
63 |
On Thursday 10 April 2003 05:07 pm, Joshua Brindle wrote: |
64 |
|
65 |
> first, "-fstack-protector" should work fine.. |
66 |
> |
67 |
> second, just emerge rsync and try again with that ebuild.. |
68 |
> |
69 |
> if you still have problems write a bug and assign it to me or frogger.. |
70 |
> |
71 |
> we have several testers for propolice gcc already and am fixing |
72 |
> ebuilds where -fstack-protector isn't appropriate, but we are not done |
73 |
> if anyone wants to test this and tell us about ebuilds where it breaks |
74 |
> that would be great.. thanks |
75 |
> |
76 |
> Joshua Brindle |
77 |
|
78 |
|
79 |
|
80 |
-- |
81 |
gentoo-hardened@g.o mailing list |