Re: [gentoo-dev] Re: [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes.

["Rick \"Zero_Chaos\" Farina" <zerochaos@gentoo.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2014 07:17 PM, Ryan Hill wrote:
> On Thu, 9 Jan 2014 17:30:46 -0600 Ryan Hill <dirtyepic@gentoo.org>
> wrote:
> 
>> On Thu, 09 Jan 2014 17:29:26 -0500 "Rick \"Zero_Chaos\" Farina"
>> <zerochaos@gentoo.org> wrote:
>> 
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>> On 01/09/2014 05:21 PM, Michał Górny wrote:
>>>> Dnia 2014-01-09, o godz. 17:06:52 "Anthony G. Basile"
>>>> <blueness@gentoo.org> napisał(a):
>>>> 
>>>>> On 01/09/2014 04:57 PM, Pacho Ramos wrote:
>>>>>> What are the advantages of disabling SSP to deserve that
>>>>>> "special" handling via USE flag or easily disabling it
>>>>>> appending the flag?
>>>>> 
>>>>> There are some cases where ssp could break things.  I know
>>>>> of once case right now, but its somewhat exotic.  Also,
>>>>> sometimes we *want* to break things for testing.  I'm
>>>>> thinking here of instance where we want to test a pax
>>>>> hardened kernel to see if it catches abuses of memory which
>>>>> would otherwise be caught by executables emitted from a
>>>>> hardened toolchain. Take a look at the app-admin/paxtest
>>>>> suite.
>>>> 
>>>> Just to be clear, are we talking about potential system-wide
>>>> breakage or single, specific packages being broken by SSP? In
>>>> other words, are there cases when people will really want to
>>>> disable SSP completely?
>>>> 
>>>> Unless I'm misunderstanding something, your examples sound
>>>> like you just want -fno-stack-protector per-package. I don't
>>>> really think you actually want to rebuild whole gcc just to
>>>> do some testing on a single package...
>>>> 
>>> Or just as easily set -fno-stack-protector in CFLAGS in
>>> make.conf.
>>> 
>>> I never felt manipulating cflags with use flags was a great
>>> idea, but in this case is does feel extra pointless.
>>> 
>>> Personally I don't feel this is needed, and the added benefit
>>> of clearing up a bogus "noblah" use flag makes me smile.
>>> 
>>> Zorry, do we really need this flag?
>> 
>> Yes, we do.  I want a way to disable it at a toolchain level.
> 
> Let me clarify.  I would like to be able to disable it without
> relying on CFLAGS or anything the user could fiddle with.  I need a
> big red off switch, at least for now.
> 
> 
I think if you clarify this last statement a lot of the arguments will
vanish.  I believe most of us are happy to hear your thoughts in a
little more detail, and will be swayed by them.

- -Zero
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSz5W+AAoJEKXdFCfdEflKle4P/3pwjbSDuPy56TXvyH43/Ucg
LvTtyycvGF5pw4UzNBPoao+E7F4E84MFIrfLGE3XpkH1J4v4SLXwh+CuHJHaSxJg
Zx1C6zhk0HnAS2LZHDCuS14+zyOpF/VELOZAimr8V1UBTot3gyZUVvBIsXoJwKx6
3nb+abTHHIFDcSGJz6KM36dy67MMW2kpcKTx5Wu7W91232K8WY3v1KuNRtLBQkd/
/YNcpkW3fkA5Plk7sMTFb8iL6k2oajNw/3PKvX9L/MSBf+PmGKB7yA3Yt5Qu2Grw
gUdUel/fCtXyhv1Had3pjeqZCgK7mFUuw6pAieQen2cYmAypLTC8D7JpaIBkJ9G0
cAz4lBB4EXc+l5mh2SS9D4LqL/4bWu3f7xFdeSuGcoxU1aL8/pgAvz0LpP7/o8ib
BMdvwPcy5zn9W5+jkx5IZXidIpEBHzJKEnSR5+Mf39xn9z0nOrEvzGWxEHIerlWc
hlHNU8x5wsZdnfJsY9tOfb5/hCOZW6uTtdvSR7eDFC6+xx2kBuiS+lC9Dtg76t1q
VAiDOQIb1qgM9D6IUA+Q6WG2sWj3aTmZxfRYYQZ0DBGG266Rr2HaQaVDmWjU8W2u
etxretxm0emYr8vHBPJD1XKwOCs577u4W5sVrQbZl+VutEVH+pqJTg0NOYxTeSTW
CWAZGdV093+dQAa58/M4
=YP+O
-----END PGP SIGNATURE-----