Hi, On 2022-08-30 14:07:41 -0400, Tom Lane wrote: > Andres Freund <and...@anarazel.de> writes: > > On 2022-08-30 13:24:39 -0400, Tom Lane wrote: > >> Andres Freund <and...@anarazel.de> writes: > >>> Perhaps it'd be saner to default to building with -Wl,-z,now? That should > >>> fix > >>> the problem too, right (and if we combine it with relro, it'd be a > >>> security > >>> improvement to boot). > > >> Hm. Not sure if that works on NetBSD, but I'll check it out. > > > FWIW, it's a decently (well over 10 years) old thing I think. And it's > > documented in > > the netbsd ld manpage and their packaging guide (albeit indirectly, with > > their > > tooling doing the work of specifying the flags): > > https://www.netbsd.org/docs/pkgsrc/hardening.html#hardening.audit.relrofull > > It does appear that they use GNU ld, and I've just finished confirming > that each of those switches has the expected effects on my PPC box. > So yeah, this looks like a better answer.
Cool. > Do we want to install this just for NetBSD, or more widely? > I think we'd better back-patch it for NetBSD, so I'm inclined > to be conservative about the change. It's likely a good idea to enable it everywhere applicable, but I agree that we shouldn't unnecessarily do so in the backbranches. So I'd be inclined to add it to the netbsd template for the backbranches. For HEAD I can see putting it into all the applicable templates, adding an AC_LINK_IFELSE() test, or just putting it into the meson stuff. Greetings, Andres Freund
