From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 705461381F3 for ; Wed, 11 Sep 2013 05:57:20 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BBABEE0BFB; Wed, 11 Sep 2013 05:57:15 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id EF04BE0BE1 for ; Wed, 11 Sep 2013 05:57:14 +0000 (UTC) Received: from caribou.gateway.2wire.net (71-17-69-121.yktn.hsdb.sasknet.sk.ca [71.17.69.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: dirtyepic) by smtp.gentoo.org (Postfix) with ESMTPSA id DB35433EB32 for ; Wed, 11 Sep 2013 05:57:13 +0000 (UTC) Date: Wed, 11 Sep 2013 00:07:29 -0600 From: Ryan Hill To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] Re: Improve the security of the default profile Message-ID: <20130911000729.46cda29c@caribou.gateway.2wire.net> In-Reply-To: <522FA01E.4070602@gentoo.org> References: <2258190.ks74ypJstN@devil> <20130907112513.3b7c585c@caribou.gateway.2wire.net> <20130907151110.13ebc8a2@caribou.gateway.2wire.net> <522BB209.9050706@gentoo.org> <20130908180656.143abb67@caribou.gateway.2wire.net> <522FA01E.4070602@gentoo.org> Organization: Gentoo X-Mailer: Claws Mail 3.9.2-dirty (GTK+ 2.24.20; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA512; boundary="Sig_/RS7O9+0zBa0I50a9Uzn6W22"; protocol="application/pgp-signature" X-Archives-Salt: b536ce5f-dcd3-4872-a19e-90257002baec X-Archives-Hash: 5680954356f8a6484c2b51e77999ba3c --Sig_/RS7O9+0zBa0I50a9Uzn6W22 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 10 Sep 2013 18:41:34 -0400 Richard Yao wrote: > A few thoughts: >=20 > 1. The kernel expects -fno-stack-protector to be the default. What will > the effect be on kernel configuration once -fstack-protector is the defau= lt? The kernel has supported building with -fstack-protector since 2.6.19, (at = least on x86/x86-64). It's controlled by CONFIG_CC_STACKPROTECTOR and if it's disabled then -fno-stack-protector is explicitly added to the command line. > 2. We should make sure that -fno-stack-protector is a supported CFLAG. > This will make it easier to handle complaints from the vocal minority of > our user base that want every last percentage point of performance. If by supported you mean that they won't be removed by things like strip-fl= ags, then yes, -fstack-protector -fstack-protector-all -fno-stack-protector and -fno-stack-protector-all are all on the whitelist. > 3. I would like to point out that we are talking about deviating from > upstream behavior and everyone is okay with it. Anyone who thinks we > should stick to upstream when it is not good for us should speak now or > risk being asked "where were you when..." whenever they try to use > upstream as an excuse to hold back progress. ;) In this case it seems every other distro is already doing this, so we're in good company. --=20 Ryan Hill psn: dirtyepic_sk gcc-porting/toolchain/wxwidgets @ gentoo.org 47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 --Sig_/RS7O9+0zBa0I50a9Uzn6W22 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (GNU/Linux) iQEcBAEBCgAGBQJSMAimAAoJEO04vUmVeoRjIawIALK71ylgiCCrFVNAQADpF3+8 B2FNrb0VimIROMyWxV6pheJc5xpIzNRamQ39cvs4Hjuykpp1kT3LKEaHp50Xp9C1 haSaoaUVhkNLIgs9+CdNNRvEvGhoM3rqQzEfiYoQffYs6ZpQohxi055KudD9EVJz MJCg9IBgkx/Lo2bbmZ7vjfU13TJKFLySKP4evYpWHwuXDN7vHFe2fyoE6Spdym0k 0cwbmqyXgt2aF9mr3LICq7oHoFlSQ7h/pQwS115Xyn1/d10wSkkizXkNWu5SwfAa 2y0k1onb5saVd+UdRHWMdiIWpF2rbdOp1PQypO9NVioDUf3yQ1rEhEv739LSBhA= =fysm -----END PGP SIGNATURE----- --Sig_/RS7O9+0zBa0I50a9Uzn6W22--