Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Feb 2012 08:18:37 +0100
From: "Gilles Espinasse" <g.esp@...e.fr>
To: <owl-dev@...ts.openwall.com>
Subject: Re: -Wl,-z,now (was: %optflags for new gcc)


----- Original Message ----- 
From: "Vasiliy Kulikov" <segoon@...nwall.com>
To: <owl-dev@...ts.openwall.com>
Sent: Tuesday, February 07, 2012 8:13 PM
Subject: Re: [owl-dev] -Wl,-z,now (was: %optflags for new gcc)


> On Sun, Feb 05, 2012 at 13:59 +0400, Solar Designer wrote:
> > On Sat, Feb 04, 2012 at 07:50:54PM +0400, Vasiliy Kulikov wrote:
> > > 8) -Wl,-z,now
> > >
> > > I agree with Pavel here that we should use secure defaults and disable
> > > -z,now only for those binaries which do suffer from slow startups like
> > > php or perl.  Are there other widespread use cases where startup
> > > slowdown is significant?
> >
> > I think speed of invocation of various coreutils commands from shell
> > scripts might be relevant in case of scripts with loops.
>
> Probably you're right, I'll try to do test it with "make buildworld".
> I'm sure it is not visible to user in such environment where gcc runs
> longer by order of magnitude compared to scripts.  We could test the
> slowdown of 'configure' stage, probably it would be more representative.
>
>
> > In case we enable -Wl,-z,now as gcc default, how do we (or our users)
> > disable it on individual occasions?  For relro, there's norelro - but is
> > there a nonow?
>
> It is -z,lazy.
>
That's doable to have a nonow option when patching the specs like in
http://ipcop.svn.sourceforge.net/viewvc/ipcop/ipcop/trunk/src/patches/gcc-4.4.5_fpie-1.patch?view=log
Patch was borrowed as is from HLFS.

Gilles

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ