[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardened toolchain
From: |
Katherine Cox-Buday |
Subject: |
Re: Hardened toolchain |
Date: |
Mon, 02 May 2022 09:55:05 -0500 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
zimoun <zimon.toutoune@gmail.com> writes:
> On Tue, 29 Mar 2022 at 12:15, Ludovic Courtès <ludo@gnu.org> wrote:
>
>> Stack smashing protection (SSP) may incur measurable run-time
>> overhead though so enabling that one by default may be less
>> consensual.
>
> That’s true and it could be an issue for HPC practitioners. However,
> quoting Wikipedia [1], for what it is worth:
>
> All Fedora packages are compiled with -fstack-protector since Fedora
> Core 5, and -fstack-protector-strong since Fedora 20.[19][20] Most
> packages in Ubuntu are compiled with -fstack-protector since 6.10.[21]
> Every Arch Linux package is compiled with -fstack-protector since
> 2011.[22] All Arch Linux packages built since 4 May 2014 use
> -fstack-protector-strong.[23] Stack protection is only used for some
> packages in Debian,[24] and only for the FreeBSD base system since
> 8.0.[25] Stack protection is standard in certain operating systems,
> including OpenBSD,[26] Hardened Gentoo[27] and DragonFly BSD.
For me at least, this is a compelling argument for also defaulting to more
secure, but possibly slower, build flags. (Full disclosure: I would personally
benefit from the security over performance model of defaults).
But I think we should state our reasons plainly in the documentation, and
provide an easy way for those who need performance to "recompile the world".
--
Katherine
- Re: Hardened toolchain,
Katherine Cox-Buday <=