On (08/09/16 18:24), Robbie Harwood wrote:
Lukas Slebodnik <lslebodn(a)redhat.com> writes:
> On (08/09/16 18:47), git repository hosting wrote:
>>This is an automated email from the git hooks/post-receive script.
>>
>>simo pushed a commit to branch master
>>in repository gssproxy.
>>
>>commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a
>>Author: Robbie Harwood <rharwood(a)redhat.com>
>>Date: Tue Sep 6 22:38:57 2016 +0000
>>
>> Add configure option for build hardening
>>
>> Ticket:
https://fedorahosted.org/gss-proxy/ticket/147
>>
>> Signed-off-by: Robbie Harwood <rharwood(a)redhat.com>
>> Reviewed-by: Simo Sorce <simo(a)redhat.com>
>> Merges #30
>>---
>> proxy/Makefile.am | 14 ++++++++++++--
>> proxy/conf_macros.m4 | 11 +++++++++++
>> proxy/configure.ac | 1 +
>> 3 files changed, 24 insertions(+), 2 deletions(-)
>>
>>diff --git a/proxy/Makefile.am b/proxy/Makefile.am
>>index f03f3ea..4359938 100644
>>--- a/proxy/Makefile.am
>>+++ b/proxy/Makefile.am
>>@@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig
>> gpstatedir = @gpstatedir@
>> gpclidir = @gpstatedir@/clients
>>
>>+AM_CPPFLAGS =
>> AM_CFLAGS =
>>+AM_LDFLAGS =
>> if WANT_AUX_INFO
>> AM_CFLAGS += -aux-info $@.X
>> endif
>>@@ -41,7 +43,15 @@ if HAVE_GCC
>> AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
>> -Wcast-qual -Wcast-align -Wwrite-strings \
>> -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
>>- -Werror-implicit-function-declaration
>>+ -Werror-implicit-function-declaration \
>>+ -Werror=format-security
>>+
>>+ AM_CPPFLAGS += -Wdate-time
>
> May I asked why compile time warning was added into pre-processor flags?
> It make sense to add -D_FORTIFY_SOURCE=2 into AM_CPPFLAGS.
>
> I know it works even with current version :-)
> But from semantical point of view it should be part of CFLAGS.
It's not a compile time, it's a preprocessor check. It will warn on the
macros __TIME__, __DATE__, and __TIMESTAMP__ as per the gcc man page.
This means it belongs in CPPFLAGS. (This is also where Debian puts it.)
I should have checked man page before asking questin.
>>+endif
>>+if BUILD_HARDENING
>>+ AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
>>+ AM_CFLAGS += -fPIE -fstack-protector-strong
>>+ AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
>> endif
>
> IIRC the same task could be achieved in spec file
> with "%global _hardened_build 1". But it owuld be better
> to check with utilities from bin-utils or ask
> someone more familiar with toolchain in fedora/el
For fedora it happens automatically as far as I can tell. (It is also
automatic in Debian and friends.) The chosen route forward here is to
add a configure flag for the convenience of anyone building from source,
as per Simo's request.
Make sense. Thank you for answer.
BTW there is a warning in current master.
CC src/mechglue/proxymech_la-gpp_display_status.lo
src/mechglue/gpp_init_sec_context.c: In function ‘gssi_init_sec_context’:
src/mechglue/gpp_init_sec_context.c:159:40: warning: passing argument 3 of
‘gppint_get_def_creds’ from incompatible pointer type [-Wincompatible-pointer-types]
GSS_C_NO_NAME,
^~~~~~~~~~~~~
In file included from src/mechglue/gpp_init_sec_context.c:3:0:
src/mechglue/gss_plugin.h:116:11: note: expected ‘struct gpp_name_handle *’ but argument
is of type ‘struct gss_name_struct *’
OM_uint32 gppint_get_def_creds(OM_uint32 *minor_status,
^~~~~~~~~~~~~~~~~~~~
Is it intentional?
LS