1 |
On Friday 26 June 2009 14.36.04 klondike wrote: |
2 |
> 2009/6/26 Ed W <lists@××××××××××.com>: |
3 |
> > klondike wrote: |
4 |
> >>> Apologies for replying to my own post, but I just realised that you |
5 |
> >>> were posing the question in the context of klondike's blog post. I do |
6 |
> >>> not know what the status of SSP is in the overlays and/or experimental |
7 |
> >>> toolchains so I'll bow out and leave it to one of the toolchain gurus |
8 |
> >>> to provide a credible response. My answer applies to the gcc ebuild in |
9 |
> >>> the mainline tree. |
10 |
> >> |
11 |
> >> Although I may be wrong, AFAIK SSP works nice with almost anything |
12 |
> >> except libstdc++, also packages which need it to be disabled (ie |
13 |
> >> thunderbird) usually do it without a problem of after pattching a bit |
14 |
> >> the ebuild. Anyway, I think the best one to answer is Zorry or Xake as |
15 |
> >> they maintain it. |
16 |
> > |
17 |
> > So the Xake overlay is GCC 4.3.2 with the GCC 4 SSP enabled? |
18 |
> |
19 |
> Mainly I could say it is. |
20 |
> |
21 |
> > My limited understanding is that the GCC 4 (new) SSP implementation |
22 |
> > should be relatively benign and supported already by a modern toolchain |
23 |
> > with no further patches? I would naively assume that since Redhat (and |
24 |
> > others) seem to be building their distros with it turned on that most |
25 |
> > packages would already be largely patched upstream to cope with it? |
26 |
> > (certainly I am more interested in server packages than desktop |
27 |
> > packages) |
28 |
> |
29 |
> I think Ubuntu has enabled it too. But I don't know how well or bad |
30 |
> are packages usually supported upstream.. I have run an apache2 server |
31 |
> and a verlihub server with the toolchain without issues, but I can't |
32 |
> gurantee you nothing as the server still hasn't had heavy load. |
33 |
> |
34 |
> >> Anyway, at least on the overlay uclibc is still not supported :( |
35 |
> >> http://github.com/Xake/toolchain-overlay/blob/54581c25b74be5a5dc3d8c1de6 |
36 |
> >>1dba55db7c639f/README |
37 |
> > |
38 |
> > Does Xake hang out here? Curious as to what the issues will be found in |
39 |
> > uclibc. I'm not specially tied to uclibc, just that it seems to work |
40 |
> > nicely so far and I'm not desperately tight on drive space... |
41 |
> |
42 |
> I don't know the reasons for uclibc being not supported, but I think |
43 |
> it was because of some compilation problems. (Can't find the tickets, |
44 |
> sorry). |
45 |
The problem with uclibc is that it don't support TLS and GCC > 4.1 SSP use TLS |
46 |
See bug #149292 and #267335 on bugs.gentoo.org |
47 |
It may only need gcc4-stack-protector-uclibc-no-tls.patch but i can have wrong |
48 |
to. We are working hard to get GCC 4.4.0 with Hardened enabled and pass full |
49 |
gcc testsuite. I will try to get the patchset upstream in GCC 4.5 so we only |
50 |
need small patch to run it on Gentoo and it may get use by some more distros. |
51 |
To get SSP as default with no CFLAGS or CXXFLAGS with -fstack-protector, GCC |
52 |
need patches and some stuff in GCC sources don't compile well with SSP on. |
53 |
Gentoo's Hardened Toolchain for GCC 4.* have the SSP compile patches but don't |
54 |
have the needed spec and fixes in toolchain.eclass to use it as default and |
55 |
some packages in the tree don't have the GCC 4.* SSP support yet. A fix is to |
56 |
add -fstack-protector to the CFLAGS and CXXFLAGS but you can get PROBLEM TO. |
57 |
The overlay have SSP and PIE enable by default but lacks some fixes for |
58 |
packages and we still fix bugs and it can be b0rked time to time. :) |
59 |
|
60 |
Ubuntu and Debian use SSP as default with patched GCC source. |
61 |
But only -fstack-protector is enable and we use -fstack-protector-all as |
62 |
default in the Hardened Toolchain so we may hit more bugs. |
63 |
|
64 |
Xake do hang out her when he have time. |
65 |
If more info needed ask in the forum or on irc #gentoo-hardened @ Freenode or |
66 |
the ml. |
67 |
|
68 |
http://hardened.gentooexperimental.org/trac/secure/wiki |
69 |
/Zorry |