On Tue, Jun 24, 2014 at 06:33:33PM +0200, Romain Francoise wrote:
> On Tue, Jun 24, 2014 at 07:11:58AM -0700, Kees Cook wrote:
> > I wonder if there is any sensible way for dpkg-buildflags to detect (or
> > maybe just be told) which compile will be used for a build? Perhaps it
>
gt; + $flags->append('CXXFLAGS', '-fstack-protector-strong');
> + $flags->append('GCJFLAGS', '-fstack-protector-strong');
> + } else {
> + $flags->append('CFLAGS', '-fstack-protector
> --param=ssp-b
0m3.255s
...
>
> As it can bee seen the difference is pretty significant.
Yeah, that's massive. I would totally agree -- remove bindnow from
defaults.
> I'm changing it now on my local tree, will be included in my next
> push.
Thanks! I'll include &
Hi Kurt,
On Sun, Sep 11, 2011 at 02:14:09AM +0200, Kurt Roeckx wrote:
> On Wed, Sep 07, 2011 at 01:46:21PM -0700, Kees Cook wrote:
> > On Wed, Sep 07, 2011 at 10:37:13PM +0200, Guillem Jover wrote:
> > > Also I'm not sure now if this has been brought up before, but the
>
rwise, I would be very interested in seeing the
results. AFAICT, bindnow is entirely a win.
> All minus signs that can end up being copy&pasted into a runnable
> command, etc. need to be escaped as in \- so that man does not turn
> them into hyphens.
Ah, yes, good catch. Th
mplemented via a general register, some
> +architectures (most notably i386) can see performance losses of up to
> +15% in very text-segment-heavy application workloads; most workloads
Thanks!
-Kees
--
Kees Cook@debian.org
--
To UNSUBSCRIBE, e
ages will be affected by this.
>
> I'd say, enable it, keeping in mind that the failure mode is just a
> failed build and it's easy to disable again if someone screams. :)
And it's easy to filter out by the maintainer if they want. :)
--
Kees Cook
On Fri, Jul 29, 2011 at 12:29:17AM +0200, Raphael Hertzog wrote:
> On Thu, 28 Jul 2011, Kees Cook wrote:
> > That seems fine to me as long as I'm in a position to still be able to fix
> > bugs in the logic. :)
>
> Well, it's low-maintenance mode I hope so I have no
On Wed, Jul 27, 2011 at 05:13:30PM +0200, Raphael Hertzog wrote:
> On Wed, 27 Jul 2011, Kees Cook wrote:
> > > Assuming that all those improvements are done, the consensus was that
> > > it's fine for dpkg-buildflags to start emitting the hardening build
> >
he main
binary. But, as you say, worst-case situations tend to be things that use
very few library calls, like interpreters, compilers, etc. I would agree that
cc1 doesn't need to be PIE. I would, however, argue that interpreters
should be PIE, since they are frequently dealing with exte
t seemed like a good idea to me (which is why hardening.make has it), so
I'd support that again. Having a common way to control the flags seems like
a very good idea.
There's also the complex case of some build systems passing -fPIC to
everything, which supersedes -fPIE unfortunately. I
11 matches
Mail list logo
