On 3/13/19 5:30 PM, Daniel P. Berrangé wrote: > On Mon, Mar 11, 2019 at 01:56:14PM -0400, Ben Cotton wrote: >> https://fedoraproject.org/wiki/Changes/HardenedCompiler >> >> == Summary == >> By Default enable a few security hardening flags which are used with GCC. >> >> == Owner == >> * Name: [[User:huzaifas|Huzaifa Sidhpurwala]] >> * Email: huzaifas@xxxxxxxxxx >> * Release notes owner: huzaifas@xxxxxxxxxx >> >> >> == Detailed Description == >> Currently GCC does not enable any security hardening flags by default. >> They have to be explicitly enabled by the developers one-by-one. >> Ubuntu (https://wiki.ubuntu.com/ToolChain/CompilerFlags) however >> enables them and therefore has a hardened compiler by default. Each of >> these options can be explicitly disabled if required by the developer >> via a GCC command line flag. I am currently proposing the following >> flags be enabled by default. >> >> '''-Wformat -Wformat-security -fstack-protector-strong >> --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -O''''' > >> | 1 || -Wformat || Check calls to "printf" and "scanf", etc., to make >> sure that the arguments supplied have types appropriate to the format >> string specified, and that the conversions specified in the format >> string make sense. || -Wno-format >> |- >> | 2 || -Wformat-security || If -Wformat is specified, also warn about >> uses of format functions that represent possible security problems. >> || -Wno-format should disable this as well > > These two are very valuable warnings. If a C application's existing > build process has not already enabled them by default, I would expect > they'll trigger a great number of warnings. > > We're not using -Werror in Fedora though, so these will not cause a > build failure. > > Are we expecting Fedora maintainers to read the build logs & look for > these new warnings & report them upstream for fixing ? I'm sceptical > that many maintainers are going to put effort into that kind of thing > if it isn't blocking their builds. > Its upto the package maintainer to use -Werror to block builds which show these warnings. I dont think we should enforce at this point. But maybe at some time later we could: 1. Do an automated scan of build logs to figure out which packages show these warnings and figure out how to handle them. 2. For critical packages like network daemons etc, we could actively block packages which show these warnings. Overall as i mentioned before, i would like to start somewhere :) -- Huzaifa Sidhpurwala / Red Hat Product Security Team _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
