On 8/20/2014 2:26 PM, Matthias Andree wrote: > Am 20.08.2014 um 18:34 schrieb Bryan Drewery: > >> We have not had any feedback on this yet and want to get it enabled by >> default for ports and packages. > > Oops. Sorry about being silent about that; > I did enable WITH_SSP_PORTS=yes right after the original announcement on > my main 9.3-amd64 development machine (run mostly headless, but it does > have a full GNOME2 install) without ill effects, so at least it does not > appear to jam everything right away, and given that Fedora is using it > and they are rather talkative to upstreams about bugs, you'd think most > packages that have issues are fixed now.
Yeah I am sure it will largely be fine as well. I just worry about some
sloppy coding breaking some popular port, or some clever hack that
results in crashing with SSP.
I also have this vague worry that something might break if the system is
half using SSP. Given the linker script on 10 (cat cat /usr/lib/libc.so)
though I think it is definitely safe there.
Given the feedback already I am confident we'll enable it by default in
a few weeks. Too much moving right now to do it now though.
This will also free up a lot of resources for other package building
opportunities.
>
>
> Is there any way we can detect the effects of -fstack-protector from the
> resulting executable, with peeking at objdump output? Like so:
>
> $ objdump -R /usr/local/bin/twolame | grep stack_chk
> 0000000000605ce0 R_X86_64_COPY __stack_chk_guard
> 00000000006053b0 R_X86_64_JUMP_SLOT __stack_chk_fail
>
> Should we have stage-qa - at least in DEVELOPER=yes WITH_SSP_PORTS=yes
> mode - check that either -fstack-protector{,-all,-strong} actually
> propagated through the build system?
I like that idea for a warning. We would have to ensure only ELF files
are checked and probably exp-run it to avoid other false-positives.
--
Regards,
Bryan Drewery
signature.asc
Description: OpenPGP digital signature
