On On Sat, Jul 1, 2017 at 09:54 AM, arch-general <arch- general@xxxxxxxxxxxxx> wrote: > >On 2016-10-24 05:56, Allan McRae wrote: > >*> 1) building gcc to enable PIE by default > *> > >I am in the middle of rebuilding gcc with --enable-default-pie. When it > >finishes, I will start a todo for rebuilding packages with static libraries. > > > >I also enabled --enable-default-ssp, which means that > >-fstack-protector-strong will be dropped from our CFLAGS (as it will be > >enforced by gcc) on the next opportunity. > > > >Bartłomiej > > Does the -enable-default-ssp enforce also -fstack-check=specific to protect > from stack clash [1], gentoo do it (except on vlc and tcl which not build > but those are upstream bugs) [2] > > [1] https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash > [2] https://wiki.gentoo.org/wiki/Hardened/Gentoo_Hardened_and_Stack_Clash > > *Pablo Lezaeta* > No it doesn't but original plan [1] was to enable -fstack-check, -fno-plt and -z,now to default flags in makepkg.conf. I hope Pacman maintainer will add those before mass rebuild started so everythig will be done at once. [1] https://lists.archlinux.org/pipermail/arch-dev- public/2016-October/028405.html \-- Sent using MsgSafe.io's Free Plan Private, encrypted, online communication For everyone. https://www.msgsafe.io
