On Wed, Aug 22, 2012 at 2:17 PM, Russ Allbery <rra@xxxxxxxxxxxx> wrote:
> Jeffrey Walton <noloader@xxxxxxxxx> writes:
>
>> Here are the flags I am interested in. Again, the developers generally
>> don't supply them ("it compiles, so ship it!"). I'm interested in
>> warnings too because I need to see dumb, CompSci 101 mistakes such as
>> ignoring return values, truncation problems, and conversion problems.
>> When I find them, I need to fix them because developers don't care about
>> these things ("it compiles, so ship it!")
>
>> EXECUTABLE:
>> -Wall -Wextra -Wconversion -fPIE -pie -Wno-unused-parameter -Wformat=2
>> -Wformat-security -fstack-protector-all -Wstrict-overflow
>> -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now
>
>> SHARED OBJECT:
>> -Wall -Wextra -Wconversion -fPIC -shared -Wno-unused-parameter
>> -Wformat=2 -Wformat-security -fstack-protector-all -Wstrict-overflow
>> -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now
>
> *If* the package uses libtool, which I realize is a big if, just pass
> -fPIE in CFLAGS and don't worry about the difference. Libtool is already
> adding -fPIC -shared when building the shared objects, and is smart enough
> to drop -fPIE from the shared objects as pointless.
Thanks Russ. No joy.
Did I mention I tried to do an end around, and add platform hardening
after the fact ("Add compiler and linker hardening after the fact,"
http://sourceware.org/ml/binutils/2012-03/msg00309.html)? No joy
there, either.
No wonder GNU programmers don't use any security features....
Jeff
$ ./configure CFLAGS="-Wall -Wextra -Wconversion -fPIE
-Wno-unused-parameter -Wformat=2 -Wformat-security
-fstack-protector-all -Wstrict-overflow -Wl,-pie -Wl,-z,noexecstack
-Wl,-z,relro -Wl,-z,now"
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in `/home/jeffrey/Desktop/ucommon-5.5.0':
configure: error: C compiler cannot create executables
See `config.log' for more details
*****
configure:2957: checking whether the C compiler works
configure:2979: gcc -Wall -Wextra -Wconversion -fPIE
-Wno-unused-parameter -Wformat=2 -Wformat-security
-fstack-protector-all -Wstrict-overflow -Wl,-pie -Wl,-z,noexecstack
-Wl,-z,relro -Wl,-z,now conftest.c >&5
/usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/4.6.1/../../../x86_64-linux-gnu/crt1.o:
relocation R_X86_64_32S against `__libc_csu_fini' can not be used when
making a shared object; recompile with -fPIC
/usr/lib/gcc/x86_64-linux-gnu/4.6.1/../../../x86_64-linux-gnu/crt1.o:
could not read symbols: Bad value
collect2: ld returned 1 exit status
configure:2983: $? = 1
configure:3021: result: no
configure: failed program was:
| /* confdefs.h */
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE_URL ""
| /* end confdefs.h. */
|
| int
| main ()
| {
|
| ;
| return 0;
| }
configure:3026: error: in `/home/jeffrey/Desktop/ucommon-5.5.0':
configure:3028: error: C compiler cannot create executables
See `config.log' for more details
_______________________________________________
Autoconf mailing list
Autoconf@xxxxxxx
https://lists.gnu.org/mailman/listinfo/autoconf
