From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1MySVJ-0002bv-JR for garchives@archives.gentoo.org; Thu, 15 Oct 2009 15:44:37 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C6902E0746; Thu, 15 Oct 2009 15:44:35 +0000 (UTC) Received: from virtual.dyc.edu (unknown [65.249.164.70]) by pigeon.gentoo.org (Postfix) with ESMTP id AAE66E0746 for ; Thu, 15 Oct 2009 15:44:35 +0000 (UTC) Received: from [192.168.3.7] (unknown [192.168.3.7]) by virtual.dyc.edu (Postfix) with ESMTP id 2EB65120031 for ; Thu, 15 Oct 2009 11:44:35 -0400 (EDT) Message-ID: <4AD7435D.8070805@opensource.dyc.edu> Date: Thu, 15 Oct 2009 11:44:29 -0400 From: basile User-Agent: Thunderbird 2.0.0.23 (X11/20090817) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org MIME-Version: 1.0 To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] NOTICE: GCC 4.3.4 going stable on Hardened References: <200910131602.39481.gengor@gentoo.org> <4AD60928.6090804@wildgooses.com> In-Reply-To: <4AD60928.6090804@wildgooses.com> X-Enigmail-Version: 0.95.7 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigEF93294834FF3500F8E03D82" X-Archives-Salt: b88a0c06-2082-46a2-9b0d-301cee102957 X-Archives-Hash: d42af5debcf3376dbb6862a5a3beb068 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigEF93294834FF3500F8E03D82 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Ed W wrote: > Gordon Malm wrote: >> Hello Hardened users, this is just a quick heads up. GCC 4.3.4 will >> be going stable on hardened profiles shortly. Unlike Hardened GCC >> 3.4.6, this version lacks default SSP building. However, >> FORTIFY_SOURCE=3D2 and -fno-strict-overflow are now enabled by >> default. Other Hardened compiler features (ex. default relro, bind >> now & pic/pie building) remain enabled - no change from 3.4.6. >> >> It is regretable this must be done before GCC4 is SSP-by-default >> enabled. However, more and more packages require the newer GCC. The >> stable GCC on Hardened has been GCC 3.4.6 for a long time, but this >> has become an untenable situation. GCC4 SSP-by-default works and >> will be added in a later revision - some GCC4+SSP bugs in grub and >> glibc also remain to be fixed. >> >> =20 > > Anyone got any empirical reports on upgrading a uclibc hardened > system? Lack of TLS in uclibc appears to be a potential issue? > > Natanael Copa has previously reported very widespread success using > gcc 4.4.1 + uclibc with apparently fairly minimal additional patches? > I guess gcc 4.4 isn't yet stable on any profiles, but does gcc4.4 buy > us anything generally in terms of getting hardened+ssp stable? > > Cheers > > Ed W Yesterday I tried compiling gcc-4.3.2-r3 on a stock gentoo hardened uclibc system (uclibc-0.9.28.3-r7) and hit all the bugs I remembered hitting when I was helping Magnus with testing gcc-4* on uclibc. (Like the fenv.h issue). The best success I've had is using the toolchain from the hardened-dev overlay. This includes upgrading both gcc and uclibc: gcc-4.4.1-r2, uclibc-0.9.30.1-r1, binutils-2.18-r3. I can emerge -e world with only two issue, sandbox and python. Take a look at bug 275094 for some clues on how to deal with python. I haven't really tackled sandbox yet. Hope this helps. --=20 Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 --------------enigEF93294834FF3500F8E03D82 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrXQ2IACgkQl5yvQNBFVTXPKgCeME1FyDOKEVmMMiBy0j3js0ks qK4AnRRF2gOI4mYjNugjk6kpiFUKuj62 =g0uc -----END PGP SIGNATURE----- --------------enigEF93294834FF3500F8E03D82--