Re: F31 System-Wide Change proposal: Enable Compiler Security hardening flags by default in G

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 3/15/19 9:49 PM, Richard W.M. Jones wrote:
> On Fri, Mar 15, 2019 at 04:15:58PM +0000, Richard W.M. Jones wrote:
>> On Mon, Mar 11, 2019 at 01:56:14PM -0400, Ben Cotton wrote:
>>> https://fedoraproject.org/wiki/Changes/HardenedCompiler
>>
>> I'm not opposing this, but is it possible we could do this without
>> breaking clang at the same time?
>>
>> In the past (and currently) the Fedora compiler flags need some hairy
>> editing so they work with clang, eg:
>>
>> https://src.fedoraproject.org/rpms/american-fuzzy-lop/blob/master/f/american-fuzzy-lop.spec#_110
>>
>> (Actually this is not the latest iteration - latest clang 7 and gcc 9
>> and Fedora 30+ needs even more editing, but I didn't push it yet since
>> there are other issues with this package.)
>>
>> It would be nice if there was a way we could avoid this.
> 
> So after rereading the proposal more carefully it seems as if the
> proposal is to change the defaults in GCC so no flags would need to be
> specified.  Would we consequently remove those flags from the command
> line (which would solve my problem above)?

The flags in my proposal will be removed from the command line during
the Fedora build process, since they are now default. Only people who
dont want to use these flags due to some reason will need to unset them
(I am assuming there are not a lot of packages like that)

Currently based on Jakub's suggestion i am also planning to remove to
fortify_source flag and keep others.

The plan is to start some where and each release work with glibc and
other teams so that we make more such security flags as default and also
work with packages which break due to inclusion of such flags.


-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux