On Wed, Aug 22, 2012 at 6:17 PM, Jeffrey Walton <noloader@xxxxxxxxx> wrote: > On Wed, Aug 22, 2012 at 3:36 PM, Russ Allbery <rra@xxxxxxxxxxxx> wrote: >> Jeffrey Walton <noloader@xxxxxxxxx> writes: >> >> Here's what Debian is using: >> >> CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security >> CPPFLAGS=-D_FORTIFY_SOURCE=2 >> CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security >> FFLAGS=-g -O2 >> LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now > Debian does a good job. I think there is room for improvement (such as > DEP and ASLR), and hope the maintainers stiffen their security posture > in the future. Forgot to mention.... I know some folks in DoD that have some really interesting stack based attacks. They can take out an innocent looking frame in an area different than the call site. Hence the reason to consider -fstack-protector-all (make it as painful as possible on them). Jeff _______________________________________________ Autoconf mailing list Autoconf@xxxxxxx https://lists.gnu.org/mailman/listinfo/autoconf
