05.09.2013 14:47, Tom Wijsman пишет:
> On Thu, 05 Sep 2013 12:13:28 +0200
> Agostino Sarubbo <ago@gentoo.org> wrote:
> 
>> Hello,
>>
>> during an irc debate, me and other people just noticed that the
>> default profile could use more flags to enhance the security.
>>
>> An hint is here:
>> https://wiki.ubuntu.com/ToolChain/CompilerFlags
>>
>> Please argue about what we _don't_ use.
>>
>> Note: please CC me in your response.
> 
> What I wonder about here is at which cost this does come, when looking
> at the fstack-protector then I see that it "emits extra code"; so, now
> the question is what kind of overhead this causes.
> 
> I am pretty sure security might not be that important on a real time
> system that perhaps isn't connected to the internet; so, besides making
> it the default, we might want to introduce the necessary means to turn
> it off again, by the very least perhaps documentation would suffice.
> 
> Do you intend to discuss that flag or more generally any security flag?
> 

Regarding -fstack-protector - it can be used at least in hardened
profiles(but i have some sort of bad expirience with it and uclibc[1]).
Also kernel has apropriate option to enable it during build.

However, i am not skilled with GCC internals, so i can say nothing about
perfomance impact this flag may have. Maybe toolchain guys can bring
light on this ;-)

[1] - https://bugs.gentoo.org/show_bug.cgi?id=470608

-- 
Best regards, Sergey Popov
Gentoo developer
Gentoo Desktop Effects project lead
Gentoo Qt project lead
Gentoo Proxy maintainers project lead