* Tom Hughes:
> On 13/03/2019 03:27, Huzaifa Sidhpurwala wrote:
>
>> On 3/12/19 5:40 PM, Vít Ondruch wrote:
>>> Will it help to mitigate issues such as:
>>>
>>>
https://bugzilla.redhat.com/show_bug.cgi?id=1284684
>>>
>> This is related to the following change which was made in Fedora 23:
>>
https://fedoraproject.org/wiki/Changes/Harden_All_Packages.
>>
>> My proposal does not touch PIE or RELRO at all, but is related to
>> compiling code with protections which mitigate, format string attacks
>> and stack-based buffer overflows. It is pretty common to enable these
>> flags while compiling, its just strange that we dont enable these by
>> default.
>
> We do, just not by changing the compiler defaults.
>
> Instead they are in %{optflags} which all packages are expected
> to use for their compiler flags:
>
>
https://docs.fedoraproject.org/en-US/packaging-guidelines/#_compiler_flags
>
> Here's what %optflags looks like for F29:
>
> -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
> -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
> -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
I think Huzaifa knows that. 8-)
Well that hasn't been at all clear in this thread as he keeps
talking like we're not building packages with these options at
the moment.
Tom
--
Tom Hughes (tom(a)compton.nu)