[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardened toolchain
From: |
kiasoc5 |
Subject: |
Re: Hardened toolchain |
Date: |
Fri, 29 Apr 2022 17:51:26 +0200 (CEST) |
Apr 29, 2022, 10:31 by zimon.toutoune@gmail.com:
> Hi,
>
> On Tue, 29 Mar 2022 at 12:15, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> Stack smashing protection (SSP) may incur measurable run-time overhead
>> though so enabling that one by default may be less consensual.
>>
>
> That’s true and it could be an issue for HPC practitioners. However,
> quoting Wikipedia [1], for what it is worth:
>
> --8<---------------cut here---------------start------------->8---
> All Fedora packages are compiled with -fstack-protector since Fedora
> Core 5, and -fstack-protector-strong since Fedora 20.[19][20] Most
> packages in Ubuntu are compiled with -fstack-protector since 6.10.[21]
> Every Arch Linux package is compiled with -fstack-protector since
> 2011.[22] All Arch Linux packages built since 4 May 2014 use
> -fstack-protector-strong.[23] Stack protection is only used for some
> packages in Debian,[24] and only for the FreeBSD base system since
> 8.0.[25] Stack protection is standard in certain operating systems,
> including OpenBSD,[26] Hardened Gentoo[27] and DragonFly BSD.
> --8<---------------cut here---------------end--------------->8---
>
>
Anaconda (science package distribution) compiles their packages with a variety
of security flags. These include PIE, SSP, fortify, RELRO, NOW.
https://www.anaconda.com/blog/improved-security-performance-in-anaconda-distribution-5
> Well, I miss if Guix is built using this ’-fstack-protector’ flag; or
> whether it is included by default.
>
Are /any/ build flags used by default? I think right now only an empty list is
used for makeflags by default. It also depends on the configuration for gcc and
binutils, they can be set to enforce SSP and others by default.
> Cheers,
> simon
>
>
>
> 1:
> <https://en.wikipedia.org/wiki/Buffer_overflow_protection#GNU_Compiler_Collection_(GCC)>
>
- Re: Hardened toolchain, (continued)
- Re: Hardened toolchain, raingloom, 2022/04/15
- Re: Hardened toolchain, Katherine Cox-Buday, 2022/04/26
- Re: Hardened toolchain, Aurora, 2022/04/28
- Re: Hardened toolchain, Katherine Cox-Buday, 2022/04/28
- Re: Hardened toolchain, Aurora, 2022/04/28
- Re: Hardened toolchain, Vagrant Cascadian, 2022/04/28
- Re: Hardened toolchain, Aurora, 2022/04/28
Re: Hardened toolchain, Nathan Dehnel, 2022/04/15
Re: Hardened toolchain, zimoun, 2022/04/29
- Re: Hardened toolchain,
kiasoc5 <=