Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 6 Nov 2011 23:33:50 +0400
From: Solar Designer <>
Subject: Re: %optflags for new gcc

On Sun, Nov 06, 2011 at 08:45:19PM +0400, Vasiliy Kulikov wrote:
> In Ubuntu's gcc (from Ubuntu 10.04, some of them might be included
> upstream):

There's also:

> gcc-default-format-security.diff
> # DP: Turn on -Wformat -Wformat-security by  default for C, C++, ObjC,
> # ObjC++.

Yes, and then there are testsuite-hardening-format.diff and
testsuite-hardening-printf-types.diff.  These are just for the
testsuite, which I understand we currently don't run anyway, but I think
the issues patched there may be representative of what we'll see in
other packages if we enable -Wformat by default.

I'm not sure that we want to enable those warnings by default (without
-Wall) just to have extra stuff to patch then.  It is not obvious where
to stop in enabling more warnings by default (if go that route at all).

I briefly thought of making -Wformat-security the default without also
enabling -Wformat, but apparently that's not supported.

> gcc-default-fortify-source.diff
> # DP: Turn on -D_FORTIFY_SOURCE=2 by default for C, C++, ObjC, ObjC++.
> gcc-default-relro.diff
> # DP: Turn on -Wl,-z,relro by default.
> gcc-default-ssp.diff
> # DP: Turn on -fstack-protector by default for C, C++, ObjC, ObjC++.


> # DP: Build libgcc using -fno-stack-protector.

I guess this is to allow building programs that would use libgcc, but
not depend on the ssp symbols from glibc?

> libstdc++-pic.diff
> # DP: Build and install libstdc++_pic.a library.

Who/what would know to use this library?  Is there some logic to probe
for *_pic.a library filenames automatically?

> note-gnu-stack.diff
> # DP: Add .note.GNU-stack sections for gcc's crt files, libffi and boehm-gc
> # DP: Taken from FC.

Surprisingly, this patch is still present in
gcc-4.6_4.6.2-2ubuntu1.diff.gz.  Also, it is mostly by Jakub Jelinek,
who I understand is an upstream maintainer of gcc.  The remaining
portions of it are for relatively uncommon archs, though.

On a related note, I am similarly puzzled by Jakub's patches in Fedora's
package of gcc.  Perhaps there's some reason why Jakub feels those are
not appropriate for the upstream gcc.

> testsuite-hardening-*
> Fix testsuites to pass -W* checks

Oh, you spotted those too.


Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ