On 13/03/2019 11:11, Florian Weimer wrote:
* Tom Hughes:
On 13/03/2019 03:27, Huzaifa Sidhpurwala wrote:
On 3/12/19 5:40 PM, Vít Ondruch wrote:
Will it help to mitigate issues such as:
https://bugzilla.redhat.com/show_bug.cgi?id=1284684
This is related to the following change which was made in Fedora 23:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages.
My proposal does not touch PIE or RELRO at all, but is related to
compiling code with protections which mitigate, format string attacks
and stack-based buffer overflows. It is pretty common to enable these
flags while compiling, its just strange that we dont enable these by
default.
We do, just not by changing the compiler defaults.
Instead they are in %{optflags} which all packages are expected
to use for their compiler flags:
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_compiler_flags
Here's what %optflags looks like for F29:
-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
I think Huzaifa knows that. 8-)
Well that hasn't been at all clear in this thread as he keeps
talking like we're not building packages with these options at
the moment.
Tom
--
Tom Hughes (tom@xxxxxxxxxx)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
