Hi again Gianfranco, On Sun, Dec 29, 2024 at 03:28:03PM +0100, Joost van Baal-Ilić wrote: > On Sun, Dec 29, 2024 at 03:12:34PM +0100, Gianfranco Costamagna wrote: > > > > Hello, looks like the code is setting FORTIFY_SOURCE=2 directly from > > makefile, not allowing to override it from outside. This is a build issue > > when people defaults e.g. to 3, something already done by some distros, > > e.g. Ubuntu.
In your commit 0821bfa49bc5655f5c998bcd407329d223f2d662 @ salsa.d.o you wrote "we default to 3 in some architectures". Do you maybe have a citation or url about the usage in Debian of such a new default? I'd like to add that to debian/patches/no-fortify-source.patch's Description. ( I just learned this FORTIFY_SOURCE=3 default is being/has been introduced in Fedora, Ubuntu, OpenSUSE and Gentoo ( https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags " All packages in OpenSUSE ALP are built with _FORTIFY_SOURCE=3 by default. Gentoo is considering making _FORTIFY_SOURCE=3 the default level for their hardened profile "; https://wiki.ubuntu.com/ToolChain/CompilerFlags#A-D_FORTIFY_SOURCE.3D3 ). However, I didn't find any discussion or pointer about a move from 2 to 3 in Debian. I did find https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_FORTIFY_.28gcc.2Fg.2B-.2B-_-D_FORTIFY_SOURCE.3D2.29 though. ) > > I took the liberty to patch the code and commit the patch on git <snip> > Stefan: what do you think about it? Would you like to apply it upstream? > Or would you prefer to keep the default on FORTIFY_SOURCE=2? > > Gianfranco: I'll wait on Stefan's reply and then decide on how to tackle this > in the Debian packaging. Thanks again for the beautiful commit! Gianfranco: would you like to also take care of uploading your work to ftp.d.o? I'd appreciate that (and would be happy to do it myself too, of course). But, as said, let's first wait a few days more on Stef's comments. Bye, Joost
