Re: F31 System-Wide Change proposal: Enable Compiler Security hardening flags by default in G

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 11, 2019 at 01:56:14PM -0400, Ben Cotton wrote:
> https://fedoraproject.org/wiki/Changes/HardenedCompiler
> 
> == Summary ==
> By Default enable a few security hardening flags which are used with GCC.
> 
> == Owner ==
> * Name: [[User:huzaifas|Huzaifa Sidhpurwala]]
> * Email: huzaifas@xxxxxxxxxx
> * Release notes owner: huzaifas@xxxxxxxxxx
> 
> 
> == Detailed Description ==
> Currently GCC does not enable any security hardening flags by default.
> They have to be explicitly enabled by the developers one-by-one.
> Ubuntu (https://wiki.ubuntu.com/ToolChain/CompilerFlags) however
> enables them and therefore has a hardened compiler by default. Each of
> these options can be explicitly disabled if required by the developer
> via a GCC command line flag.  I am currently proposing the following
> flags be enabled by default.
> 
> '''-Wformat -Wformat-security -fstack-protector-strong
> --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -O'''''

> | 1 || -Wformat || Check calls to "printf" and "scanf", etc., to make
> sure that the arguments supplied have types appropriate to the format
> string specified, and that the conversions specified in the  format
> string make sense. || -Wno-format
> |-
> | 2 || -Wformat-security || If -Wformat is specified, also warn about
> uses of format functions that represent possible security problems.
> || -Wno-format should disable this as well

These two are very valuable warnings. If a C application's existing
build process has not already enabled them by default, I would expect
they'll trigger a great number of warnings.

We're not using -Werror in Fedora though, so these will not cause a
build failure.

Are we expecting Fedora maintainers to read the build logs & look for
these new warnings & report them upstream for fixing ? I'm sceptical
that many maintainers are going to put effort into that kind of thing
if it isn't blocking their builds.

IOW what is the real benefit of enabling them ? Emitting more warnings
doesn't make Fedora more secure as the change claims. To be more secure
would require using -Werror=format-security which would be a harder sell
as a default policy for Fedora.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux