* Ben Cotton: > '''-Wformat -Wformat-security -fstack-protector-strong > --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -O''''' --param=ssp-buffer-size=4 will not affect anything because -fstack-protector-strong uses a completely different heuristic. > == Benefit to Fedora == > We provide better security both for our packages and for > applications/programs which users are building. We can check using annocheck if there are packages missing hardening and fix them. What's the current level of coverage we have? Have the Red Hat Enterprise Linux 8 packaging changes been upstreamed? We were aiming for nearly-complete coverage there. > == Scope == > * Proposal owners: Patch gcc to enable these options by default. Patch > should be very simple, since the compile/link code isnt actually > touched. -D_FORTIFY_SOURCE=2 by default needs patching of glibc because of the pesky warning it prints without optimization. What about PIE by defauld and non-lazy binding by default? These two are probably the two hardest to get right with CFLAGS/LDFLAGS injection. (PIE is the reason for the -specs= hack.) PIE-by-default compilers are very common already, although there are many StackOverflow questions from peopel who use them and follow older training material. Thanks, Florian _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
