Ed W wrote:
> Gordon Malm wrote:
>> Hello Hardened users, this is just a quick heads up.  GCC 4.3.4 will
>> be going stable on hardened profiles shortly.  Unlike Hardened GCC
>> 3.4.6, this version lacks default SSP building.  However,
>> FORTIFY_SOURCE=2 and -fno-strict-overflow are now enabled by
>> default.  Other Hardened compiler features (ex. default relro, bind
>> now & pic/pie building) remain enabled - no change from 3.4.6.
>>
>> It is regretable this must be done before GCC4 is SSP-by-default
>> enabled.  However, more and more packages require the newer GCC.  The
>> stable GCC on Hardened has been GCC 3.4.6 for a long time, but this
>> has become an untenable situation.  GCC4 SSP-by-default works and
>> will be added in a later revision - some GCC4+SSP bugs in grub and
>> glibc also remain to be fixed.
>>
>>   
>
> Anyone got any empirical reports on upgrading a uclibc hardened
> system?  Lack of TLS in uclibc appears to be a potential issue?
>
> Natanael Copa has previously reported very widespread success using
> gcc 4.4.1 + uclibc with apparently fairly minimal additional patches?
>  I guess gcc 4.4 isn't yet stable on any profiles, but does gcc4.4 buy
> us anything generally in terms of getting hardened+ssp stable?
>
> Cheers
>
> Ed W

Yesterday I tried compiling gcc-4.3.2-r3 on a stock gentoo hardened
uclibc system (uclibc-0.9.28.3-r7) and hit all the bugs I remembered
hitting when I was helping Magnus with testing gcc-4* on uclibc. (Like
the fenv.h issue).

The best success I've had is using the toolchain from the hardened-dev
overlay.  This includes upgrading both gcc and uclibc: gcc-4.4.1-r2,
uclibc-0.9.30.1-r1, binutils-2.18-r3.  I can emerge -e world with only
two issue, sandbox and python.  Take a look at bug 275094 for some clues
on how to deal with python.  I haven't really tackled sandbox yet.

Hope this helps.

-- 

Anthony G. Basile, Ph.D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
USA

(716) 829-8197