-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/15/2015 12:35 PM, Florian Weimer wrote: > On 12/15/2015 12:18 PM, Antonio Trande wrote: > >> Since i started to rebuild my packages for hardened builds issue, >> I discovered (until now) a couple of libraries that result >> without "Canary protection" according to output of 'checksec' >> tool. > > checksec is very unreliable, unfortunately. Most of its checks can > err in both directions. > >> 1) From point of view of packaging, is it acceptable a forcing >> of -fstack-protector-all? > > It has a performance impact (a few percent). In general, it is > bad practice to override RPM_OPT_FLAGS. > >> 2) Does -fstack-protector-all permit a real protection where >> -fstack-protector-strong does not? > > These cases are GCC bugs. They do happen. Here is an example: > > https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68680 > > But you should not have to worry about this; all you need to make > sure is that all C/C++ sources are compiled with > -fstack-protector-strong. > > Florian -- > Thanks for your clarification, Florian. - -- Antonio Trande mailto: sagitter 'at' fedoraproject 'dot' org http://fedoraos.wordpress.com/ https://fedoraproject.org/wiki/User:Sagitter GPG Key: 0x565E653C Check on https://keys.fedoraproject.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWcoj3AAoJEF5tK7VWXmU8PZkH/3CF4jQfi+S8Y5ZLhbeNF5Zn +s0gUAy3tdhkzAZCrcrmGS2g9HW6Bc+wwMT0D5DzmnFQDRmOBdFfxyUz8tdc9Xt3 Cobmrf7S1Hc7UjUatdJ4pGOp+bmZUYQFp7p47flI7Sn70KWJuXhixQhQQs86CSLK wJPaVVrM+fETZ48QgZYWAhOo63NyHWLPxNks5TIEGQekb+tt/Mn1pR7EEG1ZDp/9 LJ4YPCODyasuyjcKLKNOqcUAKZYzj9R2ESHCUBvyBO8jzCqElf+JxIFXyMQqyyNR K2DjCpxvafRsSlRdpEqRe8xT4rrOO2VD58vmhFWC0cafqYEeuyUm3I7CBv2LqPk= =2+jf -----END PGP SIGNATURE----- -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
