Lukas Slebodnik <lslebodn(a)redhat.com> writes:
On (08/09/16 18:47), git repository hosting wrote:
>This is an automated email from the git hooks/post-receive script.
>
>simo pushed a commit to branch master
>in repository gssproxy.
>
>commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a
>Author: Robbie Harwood <rharwood(a)redhat.com>
>Date: Tue Sep 6 22:38:57 2016 +0000
>
> Add configure option for build hardening
>
> Ticket:
https://fedorahosted.org/gss-proxy/ticket/147
>
> Signed-off-by: Robbie Harwood <rharwood(a)redhat.com>
> Reviewed-by: Simo Sorce <simo(a)redhat.com>
> Merges #30
>---
> proxy/Makefile.am | 14 ++++++++++++--
> proxy/conf_macros.m4 | 11 +++++++++++
> proxy/configure.ac | 1 +
> 3 files changed, 24 insertions(+), 2 deletions(-)
>
>diff --git a/proxy/Makefile.am b/proxy/Makefile.am
>index f03f3ea..4359938 100644
>--- a/proxy/Makefile.am
>+++ b/proxy/Makefile.am
>@@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig
> gpstatedir = @gpstatedir@
> gpclidir = @gpstatedir@/clients
>
>+AM_CPPFLAGS =
> AM_CFLAGS =
>+AM_LDFLAGS =
> if WANT_AUX_INFO
> AM_CFLAGS += -aux-info $@.X
> endif
>@@ -41,7 +43,15 @@ if HAVE_GCC
> AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
> -Wcast-qual -Wcast-align -Wwrite-strings \
> -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
>- -Werror-implicit-function-declaration
>+ -Werror-implicit-function-declaration \
>+ -Werror=format-security
>+
>+ AM_CPPFLAGS += -Wdate-time
May I asked why compile time warning was added into pre-processor flags?
It make sense to add -D_FORTIFY_SOURCE=2 into AM_CPPFLAGS.
I know it works even with current version :-)
But from semantical point of view it should be part of CFLAGS.
It's not a compile time, it's a preprocessor check. It will warn on the
macros __TIME__, __DATE__, and __TIMESTAMP__ as per the gcc man page.
This means it belongs in CPPFLAGS. (This is also where Debian puts it.)
>+endif
>+if BUILD_HARDENING
>+ AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
>+ AM_CFLAGS += -fPIE -fstack-protector-strong
>+ AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
> endif
IIRC the same task could be achieved in spec file
with "%global _hardened_build 1". But it owuld be better
to check with utilities from bin-utils or ask
someone more familiar with toolchain in fedora/el
For fedora it happens automatically as far as I can tell. (It is also
automatic in Debian and friends.) The chosen route forward here is to
add a configure flag for the convenience of anyone building from source,
as per Simo's request.