On Thu, 05 Sep 2013 12:13:28 +0200 Agostino Sarubbo wrote: > Hello, > > during an irc debate, me and other people just noticed that the default > profile could use more flags to enhance the security. > > An hint is here: > https://wiki.ubuntu.com/ToolChain/CompilerFlags > > Please argue about what we _don't_ use. > > Note: please CC me in your response. * -fstack-protector{-all} No thank you. -fstack-protector has very limited coverage (which is why Ubuntu felt they needed to mess with the min size) and -fstack-protector-all has enough overhead that every distro that experimented with it dropped it in the end. If security is important enough to you that you are willing to take the hit then you should be using hardened where it's the default. There is a new option, -fstack-protector-strong, that's intended to be a balance between the two extremes and something that distros can enable by default. It was just added to mainline so it should be in GCC 4.9. So let's revisit this a couple years down the line. * -D_FORTIFY_SOURCE=2 Enabled by default since gcc-4.5.0 (patch) * -Wformat -Wformat-security Enabled by default since gcc 4.3.3 (patch) * -Wl,-z,relro Enabled by default since binutils 2.18 (and as far back as 2.15 for the HJL releases). (patch) * -Wl,--hash-style={both,gnu} Enabled by default since binutils 2.18 except on mips where it is unsupported. (patch sets it to "both", developer profiles set it to "gnu" for ignored LDFLAGs detection) * -Wl,--no-copy-dt-needed-entries/-Wl,--no-add-needed Enabled by default since binutils 2.22. (upstream default) * -Wl,--as-needed Enabled by default since July 2010 (in profiles). I think this is the upstream default now as well. In addition to these we also enable -Wtrampolines and warn on DT_TEXTRELs. -- Ryan Hill psn: dirtyepic_sk gcc-porting/toolchain/wxwidgets @ gentoo.org 47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463