From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15142 invoked from network); 23 Sep 2004 20:38:57 +0000 Received: from smtp.gentoo.org (156.56.111.197) by lists.gentoo.org with AES256-SHA encrypted SMTP; 23 Sep 2004 20:38:57 +0000 Received: from lists.gentoo.org ([156.56.111.196] helo=parrot.gentoo.org) by smtp.gentoo.org with esmtp (Exim 4.41) id 1CAaMi-00063x-Mb for arch-gentoo-dev@lists.gentoo.org; Thu, 23 Sep 2004 20:38:56 +0000 Received: (qmail 26154 invoked by uid 89); 23 Sep 2004 20:38:56 +0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 22892 invoked from network); 23 Sep 2004 20:38:55 +0000 Date: Thu, 23 Sep 2004 21:35:35 +0100 From: Ciaran McCreesh To: solar@gentoo.org Cc: gentoo-dev@lists.gentoo.org Message-ID: <20040923213535.0d899b28@snowdrop.home> In-Reply-To: <1095971292.28392.55.camel@simple> References: <4151A04F.5090304@comcast.net> <200409222240.15226.vapier@gentoo.org> <20040923164736.657b489d@andy.genone.homeip.net> <200409231503.18064.vapier@gentoo.org> <1095971292.28392.55.camel@simple> X-Mailer: Sylpheed-Claws 0.9.12a (GTK+ 1.2.10; i686-pc-linux-gnu) Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha1"; boundary="Signature=_Thu__23_Sep_2004_21_35_35_+0100_YFfTXOAnowstyu2h" Subject: Re: [gentoo-dev] Stack smash protected daemons X-Archives-Salt: b0746470-b6b7-43fa-8c3d-7c78332a83d4 X-Archives-Hash: 13b77dc0b72573a3ec11bd7d8d5f793b --Signature=_Thu__23_Sep_2004_21_35_35_+0100_YFfTXOAnowstyu2h Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: 7bit On Thu, 23 Sep 2004 16:28:13 -0400 Ned Ludd wrote: | But the disadvantage here is that we have to explicitly add said USE | flag to the profiles (which you know a certain somebody might come | right in and disable it) unless we rename said flag/feature (cuz you | don't want "no"flags) to something like USE=idiot then the logic in | ebuilds could work as. use idiot || append-flags -fstack-protector | Or perhaps even following in the footsteps of x11-base/xorg which has | "insecure-drivers" but maybe using the name "insecure-cflags" They're not 'insecure' CFLAGS. Adding -fstack-protector does not make your code "more secure". It means that if you have insecure code, you may or may not suffer reduced consequences if someone tries to do nasty things to your box. Also, make sure it's a "use foo &&" style flag, otherwise it can't be masked where necessary. "use foo ||" things break use.mask. -- Ciaran McCreesh : Gentoo Developer (Sparc, MIPS, Vim, Fluxbox) Mail : ciaranm at gentoo.org Web : http://dev.gentoo.org/~ciaranm --Signature=_Thu__23_Sep_2004_21_35_35_+0100_YFfTXOAnowstyu2h Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBUzOZ96zL6DUtXhERAhPVAKCS8djJSct/QiKR4KHNdZbbLy08+wCePruQ //fWEC0oHYZ3sLS78TeyCfQ= =TxHi -----END PGP SIGNATURE----- --Signature=_Thu__23_Sep_2004_21_35_35_+0100_YFfTXOAnowstyu2h--