[gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Grant]

I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
hardened/linux/amd64/10.0) for a very long time.  Now it looks like
gcc-4.3.4 has been stabilized for hardened profiles.  Has anyone
tested it?  This system is critical for me, so I've got to be careful.

- Grant

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Claes Gyllenswärd]

[-- Attachment #1: Type: text/plain, Size: 1631 bytes --]

I haven't seen any posts with problems.
I use x86 and haven't noticed any problems either, but I haven't used that
system much.
Check bugzilla.

Pasting the original announcement below.


2009/10/18 Grant <emailgrant@gmail.com>

> I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
> hardened/linux/amd64/10.0) for a very long time.  Now it looks like
> gcc-4.3.4 has been stabilized for hardened profiles.  Has anyone
> tested it?  This system is critical for me, so I've got to be careful.
>
> - Grant
>
>
Hello Hardened users, this is just a quick heads up.  GCC 4.3.4 will be
going
stable on hardened profiles shortly.  Unlike Hardened GCC 3.4.6, this
version
lacks default SSP building.  However, FORTIFY_SOURCE=2
and -fno-strict-overflow are now enabled by default.  Other Hardenedcompiler
features (ex. default relro, bind now & pic/pie building) remain enabled -
no
change from 3.4.6.

It is regretable this must be done before GCC4 is SSP-by-default enabled.
However, more and more packages require the newer GCC.  The stable GCC on
Hardened has been GCC 3.4.6 for a long time, but this has become an
untenable
situation.  GCC4 SSP-by-default works and will be added in a later revision
-
some GCC4+SSP bugs in grub and glibc also remain to be fixed.

Please follow '2. General Upgrade Instructions' in the 'Gentoo GCC Upgrade
Guide' [1] when upgrading from GCC 3.4.x to GCC 4.3.x.  The upgrade should
be
relatively smooth, but if you run into upgrade troubles seek help via this
mailing list, bugs.gentoo.org, or irc.freenode.net, #gentoo-hardened.

[1] http://www.gentoo.org/doc/en/gcc-upgrading.xml

[-- Attachment #2: Type: text/html, Size: 2532 bytes --]

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Ed W]

Grant wrote:
> I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
> hardened/linux/amd64/10.0) for a very long time.  Now it looks like
> gcc-4.3.4 has been stabilized for hardened profiles.  Has anyone
> tested it?  This system is critical for me, so I've got to be careful.
>
>   

Probably not much help in this case, but +1 for just virtualising all 
new servers as soon as you get the hardware!  I use linux-vserver which 
is super lightweight and makes testing upgrades of everything (except 
the host) a fairly straightforward job to just duplicate the vserver 
first (or at least shut it down and near instantly back it up)

Not tested 4.3 myself so no real answer to your question though...

Good luck

Ed W

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Michael Orlitzky]

Grant wrote:
> I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
> hardened/linux/amd64/10.0) for a very long time.  Now it looks like
> gcc-4.3.4 has been stabilized for hardened profiles.  Has anyone
> tested it?  This system is critical for me, so I've got to be careful.
> 
> - Grant
> 

A lot of us have been testing the new GCC for a while now using the 
hardened-development overlay. It's as stable as 3.4.x was in my experience.

About a year and a half ago, I reformatted a laptop and started from 
scratch using gcc-4.x from the overlay, because what the hell. Many 
issues from the gcc-3.x era actually cleared up with the new toolchain. 
Once I convinced myself that things were working correctly, I began to 
migrate "real" systems to the development GCC one at a time.

All of my personal machines are using gcc-4.x, and things work much 
better on the desktop than they did with gcc-3.x. Many of our servers 
have also been migrated: web, database, dns, mail, monitoring, firewall, 
etc. all work fine. I have noticed absolutely no difference (either 
positive or negative) on those machines.

In short, switching your default compiler with gcc-config isn't going to 
change anything. Test any new packages/upgrades just as you would have 
with gcc-3.x.

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Grant]

>> I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
>> hardened/linux/amd64/10.0) for a very long time.  Now it looks like
>> gcc-4.3.4 has been stabilized for hardened profiles.  Has anyone
>> tested it?  This system is critical for me, so I've got to be careful.
>>
>> - Grant
>>
>
> A lot of us have been testing the new GCC for a while now using the
> hardened-development overlay. It's as stable as 3.4.x was in my experience.
>
> About a year and a half ago, I reformatted a laptop and started from scratch
> using gcc-4.x from the overlay, because what the hell. Many issues from the
> gcc-3.x era actually cleared up with the new toolchain. Once I convinced
> myself that things were working correctly, I began to migrate "real" systems
> to the development GCC one at a time.
>
> All of my personal machines are using gcc-4.x, and things work much better
> on the desktop than they did with gcc-3.x. Many of our servers have also
> been migrated: web, database, dns, mail, monitoring, firewall, etc. all work
> fine. I have noticed absolutely no difference (either positive or negative)
> on those machines.
>
> In short, switching your default compiler with gcc-config isn't going to
> change anything. Test any new packages/upgrades just as you would have with
> gcc-3.x.

That's great.  I'm up against a mysql upgrade that doesn't want to go
through without the new gcc, so I'm going for it now.

I have 4 desktops on a non-hardened profile and 1 server on a hardened
profile.  I'd love to put the desktops on a hardened profile with this
new gcc.  Can I switch from non-hardened to hardened?

- Grant

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Michael Orlitzky]

Grant wrote:
> 
> That's great.  I'm up against a mysql upgrade that doesn't want to go
> through without the new gcc, so I'm going for it now.
> 
> I have 4 desktops on a non-hardened profile and 1 server on a hardened
> profile.  I'd love to put the desktops on a hardened profile with this
> new gcc.  Can I switch from non-hardened to hardened?
> 
> - Grant
> 

Yep. Just switch your profile to the hardened one, and emerge system 
(the FAQ[1] claims only binutils, gcc, and virtual/libc are necessary). 
Then, switch your compiler, and emerge -ve world to recompile everything 
with the new GCC.

Note that I said there were *fewer* problems with gcc-4.x than there 
were with gcc-3.x hardened. That doesn't mean there aren't problems 
using hardened for a desktop machine. A few packages, e.g.

*  Non-free video drivers
*  Wine
*  Mplayer
*  OpenOffice

usually fail unless you switch to vanilla GCC temporarily. Although, now 
that gcc-4.x is stable, we can probably file these as bugs and get them 
fixed.


[1] http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[klondike]

2009/10/27 Michael Orlitzky <michael@orlitzky.com>:
> *  Non-free video drivers
> *  Wine
> *  Mplayer
> *  OpenOffice
>
> usually fail unless you switch to vanilla GCC temporarily. Although, now
> that gcc-4.x is stable, we can probably file these as bugs and get them
> fixed.
Wine doesn't fail for me but you must mark -m the wine-preloader
binary if you use PAX.

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Pavel Labushev]

klondike wrote:
> 2009/10/27 Michael Orlitzky <michael@orlitzky.com>:
>> *  Non-free video drivers
>> *  Wine
>> *  Mplayer
>> *  OpenOffice
>>
>> usually fail unless you switch to vanilla GCC temporarily. Although, now
>> that gcc-4.x is stable, we can probably file these as bugs and get them
>> fixed.
> Wine doesn't fail for me but you must mark -m the wine-preloader
> binary if you use PAX.

Btw, Wine was fine too with hardened GCC 4.x on x86, just without SSP
and with the right PaX flags on the binaries.

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Pavel Labushev]

Michael Orlitzky wrote:

> using hardened for a desktop machine. A few packages, e.g.

> *  Mplayer
> *  OpenOffice

There wasn't a /single/ failure on x86 with these two for me, despite I
compiled it with 3.4.6/4.1.2/4.3.3 - all are hardened and allways with
SSP flags enabled in specs. So at least it worth a try before switching
to vanilla compilers.

> usually fail unless you switch to vanilla GCC temporarily. Although, now

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Mike Edenfield]

On 10/27/2009 6:50 PM, Pavel Labushev wrote:
> Michael Orlitzky wrote:
>
>> using hardened for a desktop machine. A few packages, e.g.
>
>> *  Mplayer
>> *  OpenOffice
>
> There wasn't a /single/ failure on x86 with these two for me, despite I
> compiled it with 3.4.6/4.1.2/4.3.3 - all are hardened and allways with
> SSP flags enabled in specs. So at least it worth a try before switching
> to vanilla compilers.

Both of these fail for me on hardened amd64, though my 
admittedly sketchy memory tells me both built fine when I 
was running hardened x86 on the same hardware a few months back.

The mplayer failure is the same one that's always caused 
problems for SSP -- running out of registers in parts of the 
assembly code.  The OOo build fails on three separate steps 
for three seemingly unrelated reasons, none of which I have 
had time to chase down.

--Mike

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Michael Orlitzky]

Mike Edenfield wrote:
> On 10/27/2009 6:50 PM, Pavel Labushev wrote:
>> Michael Orlitzky wrote:
>>
>>> using hardened for a desktop machine. A few packages, e.g.
>>
>>> *  Mplayer
>>> *  OpenOffice
>>
>> There wasn't a /single/ failure on x86 with these two for me, despite I
>> compiled it with 3.4.6/4.1.2/4.3.3 - all are hardened and allways with
>> SSP flags enabled in specs. So at least it worth a try before switching
>> to vanilla compilers.
> 
> Both of these fail for me on hardened amd64, though my admittedly 
> sketchy memory tells me both built fine when I was running hardened x86 
> on the same hardware a few months back.
> 
> The mplayer failure is the same one that's always caused problems for 
> SSP -- running out of registers in parts of the assembly code.  The OOo 
> build fails on three separate steps for three seemingly unrelated 
> reasons, none of which I have had time to chase down.

OpenOffice fails about an hour into compilation for me, so screw that. 
All of my desktop machines are amd64 -- x86 users might have better 
luck, especially now that 4.x is stable.

If you have any trouble during the 'emerge -ve world', please unleash a 
fury upon bugzilla.

Re: [gentoo-hardened] gcc-4.3.4 stabilized for a hardened profile?

[Mike Edenfield]

On 10/28/2009 12:33 AM, Michael Orlitzky wrote:
> Mike Edenfield wrote:

>> The OOo
>> build fails on three separate steps for three seemingly unrelated
>> reasons, none of which I have had time to chase down.

> OpenOffice fails about an hour into compilation for me, so screw that.
> All of my desktop machines are amd64 -- x86 users might have better
> luck, especially now that 4.x is stable.

My current testing seems to indicate that this is a problem with the 
OpenOffice build and PaX, not with the hardened toolchain itself -- I 
was able to build successfully by turning on softmode first.  Whether 
that makes it easier or harder to "fix" the build problems, I dunno.

--Mike