[gentoo-hardened] SSP in GCC 4

[gentoo-hardened] SSP in GCC 4

[Mike Williams]

Hi!

I've had gcc-4.3 masked since it went stable back in October, due to the lack 
of SSP.
Coming up soon I've got an opportunity to do some fairly major system upgrades 
on the large number of servers we've got, it would be nice to include the 
newer GCC.
So far we've had no insurmountable problem with 3.4.6, but the newer xen-
sources (>2.6.21)  that support the NICs we're seeing in nehalem machines need 
gcc-4 to build.

Is there any news on SSP in GCC 4?

Thanks

-- 
Mike Williams

Re: [gentoo-hardened] SSP in GCC 4

[Pavel Labushev]

Mike Williams ?????:

> Is there any news on SSP in GCC 4?

There is SSP in gcc 4. AFAIR it is not enabled in the specs due to some
problems on amd64 (correct me if I'm wrong, people). Howewer, it works
for me on x86 since gcc 4.1, and you could enable and test it in your
environment.

Re: [gentoo-hardened] SSP in GCC 4

[Michael Edenfield]

On Sunday January 24 2010 07:34:31 pm Mike Williams wrote:

> Is there any news on SSP in GCC 4?

Use the gcc-4.4 out of the hardened-development overlay.  I've been using the 
overlay (4.3, then 4.4) it on all of my servers, plus my personal machines, 
for almost a year now and so far have only had problems with 1 package (sbcl).

--K

Re: [gentoo-hardened] SSP in GCC 4

[Mike Williams]

On Monday 25 January 2010 02:26:19 Pavel Labushev wrote:
> Mike Williams ?????:
> > Is there any news on SSP in GCC 4?
> 
> There is SSP in gcc 4. AFAIR it is not enabled in the specs due to some
> problems on amd64 (correct me if I'm wrong, people). Howewer, it works
> for me on x86 since gcc 4.1, and you could enable and test it in your
> environment.

Well that's a bit of an arse, we use amd64 :)

Thanks though.

-- 
Mike Williams

Re: [gentoo-hardened] SSP in GCC 4

[Mike Williams]

On Monday 25 January 2010 03:28:24 Michael Edenfield wrote:
> On Sunday January 24 2010 07:34:31 pm Mike Williams wrote:
> > Is there any news on SSP in GCC 4?
> 
> Use the gcc-4.4 out of the hardened-development overlay.  I've been using
>  the overlay (4.3, then 4.4) it on all of my servers, plus my personal
>  machines, for almost a year now and so far have only had problems with 1
>  package (sbcl).

Nice, thanks.
Anything else I need to unmask? Installing gcc-4.4.2-r2 and rebuilding system 
hasn't broken my build box yet!

-- 
Mike Williams

Re: [gentoo-hardened] SSP in GCC 4

[Mike Edenfield]

On 1/25/2010 2:10 PM, Mike Williams wrote:
> On Monday 25 January 2010 03:28:24 Michael Edenfield wrote:
>> On Sunday January 24 2010 07:34:31 pm Mike Williams wrote:
>>> Is there any news on SSP in GCC 4?
>>
>> Use the gcc-4.4 out of the hardened-development overlay.  I've been using
>>   the overlay (4.3, then 4.4) it on all of my servers, plus my personal
>>   machines, for almost a year now and so far have only had problems with 1
>>   package (sbcl).
>
> Nice, thanks.
> Anything else I need to unmask? Installing gcc-4.4.2-r2 and rebuilding system
> hasn't broken my build box yet!
>

I also have glibc unmasked, but I think that's a remnant from a while 
ago and probably not necessary.  The latest version in the overlay is 2.9.

If you are running ~arch you'll pick up a few more things from the 
overlay, like grub and hardened-sources, automatically.  If you're not 
running ~arch I'd suggest you unmask anything that the overlay has in 
it, since there are often PIE or SSP patches included in those versions.

--Mike

[gentoo-hardened] Re: SSP in GCC 4

[Peter Hjalmarsson]

mån 2010-01-25 klockan 15:15 -0500 skrev Mike Edenfield:
> I also have glibc unmasked, but I think that's a remnant from a while 
> ago and probably not necessary.  The latest version in the overlay is
> 2.9.
> 
> If you are running ~arch you'll pick up a few more things from the 
> overlay, like grub and hardened-sources, automatically.  If you're not
> 
> running ~arch I'd suggest you unmask anything that the overlay has in 
> it, since there are often PIE or SSP patches included in those
> versions.
> 

Just use latest stable glibc from portage (glibc in hardened-dev is
going away as soon as Zorry feel comfortable removing it).
The same goes for all other packages, use the versions from portage
unless you have problems compiling that version or told otherwise @
#gentoo-hardened.
When it comes to which arch, I have no bigger problem using the
gcc-4.4.2 on an ~amd64 machine... Bu that may be me that is lucky.;)

Re: [gentoo-hardened] SSP in GCC 4

[Ed W]

On 25/01/2010 20:15, Mike Edenfield wrote:
> On 1/25/2010 2:10 PM, Mike Williams wrote:
>> On Monday 25 January 2010 03:28:24 Michael Edenfield wrote:
>>> On Sunday January 24 2010 07:34:31 pm Mike Williams wrote:
>>>> Is there any news on SSP in GCC 4?
>>>
>>> Use the gcc-4.4 out of the hardened-development overlay.  I've been 
>>> using
>>>   the overlay (4.3, then 4.4) it on all of my servers, plus my personal
>>>   machines, for almost a year now and so far have only had problems 
>>> with 1
>>>   package (sbcl).
>>
>> Nice, thanks.
>> Anything else I need to unmask? Installing gcc-4.4.2-r2 and 
>> rebuilding system
>> hasn't broken my build box yet!
>>
>

Another +1 for Gcc-4.4.x on AMD64.  Working fine here for some months

Ed W

Re: [gentoo-hardened] SSP in GCC 4

[Mike Williams]

On Monday 25 January 2010 03:28:24 Michael Edenfield wrote:
> > Is there any news on SSP in GCC 4?
> 
> Use the gcc-4.4 out of the hardened-development overlay.  I've been using
>  the  overlay (4.3, then 4.4) it on all of my servers, plus my personal
>  machines, for almost a year now and so far have only had problems with 1
>  package (sbcl).

The majority of our servers are now running gcc-4.4.2-r2! And we've had no 
trouble we can attribute to the compiler.
Our build machines did the whole emerge -e thing, but on the servers we just 
installed gcc (emerge gcc -Nu1Kv), switched compiler, then updated world 
(emerge world -DNuKv). They all had between 1/2 and 3/4 of their packages 
updated, including all the important stuff (apache, php, rails, nginx, mysql, 
postgres, etc).

I can now build modern Xen kernels too!

Thanks very much.

-- 
Mike Williams