From: basile <basile@opensource.dyc.edu>
To: gentoo-hardened@lists.gentoo.org
Subject: Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened
Date: Thu, 15 Oct 2009 11:44:29 -0400 [thread overview]
Message-ID: <4AD7435D.8070805@opensource.dyc.edu> (raw)
In-Reply-To: <4AD60928.6090804@wildgooses.com>
[-- Attachment #1: Type: text/plain, Size: 2046 bytes --]
Ed W wrote:
> Gordon Malm wrote:
>> Hello Hardened users, this is just a quick heads up. GCC 4.3.4 will
>> be going stable on hardened profiles shortly. Unlike Hardened GCC
>> 3.4.6, this version lacks default SSP building. However,
>> FORTIFY_SOURCE=2 and -fno-strict-overflow are now enabled by
>> default. Other Hardened compiler features (ex. default relro, bind
>> now & pic/pie building) remain enabled - no change from 3.4.6.
>>
>> It is regretable this must be done before GCC4 is SSP-by-default
>> enabled. However, more and more packages require the newer GCC. The
>> stable GCC on Hardened has been GCC 3.4.6 for a long time, but this
>> has become an untenable situation. GCC4 SSP-by-default works and
>> will be added in a later revision - some GCC4+SSP bugs in grub and
>> glibc also remain to be fixed.
>>
>>
>
> Anyone got any empirical reports on upgrading a uclibc hardened
> system? Lack of TLS in uclibc appears to be a potential issue?
>
> Natanael Copa has previously reported very widespread success using
> gcc 4.4.1 + uclibc with apparently fairly minimal additional patches?
> I guess gcc 4.4 isn't yet stable on any profiles, but does gcc4.4 buy
> us anything generally in terms of getting hardened+ssp stable?
>
> Cheers
>
> Ed W
Yesterday I tried compiling gcc-4.3.2-r3 on a stock gentoo hardened
uclibc system (uclibc-0.9.28.3-r7) and hit all the bugs I remembered
hitting when I was helping Magnus with testing gcc-4* on uclibc. (Like
the fenv.h issue).
The best success I've had is using the toolchain from the hardened-dev
overlay. This includes upgrading both gcc and uclibc: gcc-4.4.1-r2,
uclibc-0.9.30.1-r1, binutils-2.18-r3. I can emerge -e world with only
two issue, sandbox and python. Take a look at bug 275094 for some clues
on how to deal with python. I haven't really tackled sandbox yet.
Hope this helps.
--
Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA
(716) 829-8197
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]
next prev parent reply other threads:[~2009-10-15 15:44 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-13 23:02 [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened Gordon Malm
2009-10-13 23:52 ` Michael Orlitzky
2009-10-14 17:23 ` Ed W
2009-10-15 15:44 ` basile [this message]
2009-10-15 18:10 ` Ed W
2009-10-15 19:06 ` Gordon Malm
2009-10-30 23:49 ` Ed W
2009-10-24 11:02 ` Kakou
2009-10-24 12:50 ` Ed W
2009-10-24 12:57 ` Kakou
2009-10-24 15:20 ` Magnus Granberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AD7435D.8070805@opensource.dyc.edu \
--to=basile@opensource.dyc.edu \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox