Giuseppe Ghibò <[EMAIL PROTECTED]> wrote: > IMHO what this could replace is the %serverbuild macro, which > should have -fstack-protector enabled.
Not a bad idea at all. Perhaps other security sensetive software as well. Like for example suid stuff ( cdrecord ) > From benchmark (ssbench) I don't see any appreciable slow down, but it > would be interesting to see some BIG benchmark for instance to Apache > or some mailer, to see the effective impact. If someone has one or is > willing to do some intensive benchmark... On OpenBSD they found something like about 5%. And the whole OS except for some ports/packages that don't like it is build with stackprotector. > Also we have to be sure, that such patch doesn't have side effect on > applications. For instance I've heard that mozilla as well as XFree86 > weren't compiling/working with stack-protector enabled. /usr/ports% grep stack-protector **/Makefile cad/klogic/Makefile:CFLAGS+=-fno-stack-protector www/mozilla-firebird/Makefile:CFLAGS+= -fno-stack-protector www/mozilla/Makefile:CFLAGS+= -fno-stack-protector It's not that dramatic :) # Han -- http://www.xs4all.nl/~hanb/software http://www.xs4all.nl/~hanb/documents/quotingguide.html