On 3/13/19 5:22 PM, Jakub Jelinek wrote: > On Wed, Mar 13, 2019 at 12:38:02PM +0100, Dridi Boukelmoune wrote: >> On Wed, Mar 13, 2019 at 12:19 PM Jakub Jelinek <jakub@xxxxxxxxxx> wrote: >>> >>> On Mon, Mar 11, 2019 at 01:56:14PM -0400, Ben Cotton wrote: >>>> https://fedoraproject.org/wiki/Changes/HardenedCompiler >>>> >>>> == Summary == >>>> By Default enable a few security hardening flags which are used with GCC. >>> >>> I'm strongly against this, the reasons have been explained multiple times. >>> >>> We have annobin and easy way to determine what misses to propagate the flags >>> down. >> >> I think the key sentence here is this one: >> >>> == Benefit to Fedora == >>> We provide better security both for our packages and for >>> applications/programs which users are building. >> >> IMHO this should have nothing to do with our packages since we already >> have guidelines regarding hardening and in most cases it should be the >> case without package maintainer intervention (exotic build systems or >> misuse or misconfiguration do exist). >> >> To me this change should only be meant for end-users of GCC, not the >> Fedora build infrastructure itself. > > I'm all for making it easier for users, say by adding > hardened-gcc/hardened-g++ wrappers or some dir with gcc/g++ wrappers users > can prepend in PATH if they want certain behavior, but changing the defaults > of what gcc does is a huge mistake. I know some distros have done it for > certain options, that doesn't change my opinion about it. > The thing is, when the defaults change, then people using the compiler need > to start using -fno-pie, -U__FORTIFY_SOURCE, -fno-stack-protector and the > like whenever they do want normal behavior, and as cross environments you > can't rely on the same defaults you need to stick those or the hardening > flags everywhere because you don't know what the compiler of the day will > do. Not to mention that -D__FORTIFY_SOURCE=2 rejects some valid C programs, > so gcc would be no longer standard compliant (and e.g. glibc headers warn > about it when used with -O0). > It is a similar reason why gcc doesn't change all of sudden -O0 default to > -O2. If -D__FORTIFY_SOURCE=2 breaks applications we can exclude that from the default flags. However i still think we should keep the other flags. Its upto developers to disable security flags if they want to, but that does not mean we should have default secure options. We assume that developers know what they are doing when they disable these flags. Also if it breaks on some arches, we can probably only enable it on x86_64 to start with. > > Jakub > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > -- Huzaifa Sidhpurwala / Red Hat Product Security Team _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
