On Thu, Jun 26, 2014 at 9:57 PM, Michael Gilbert wrote: > On Thu, Jun 26, 2014 at 7:57 AM, Romain Francoise wrote: >> I've already touched upon this elsewhere in this thread, but my personal >> feeling is that we don't want to go down that road. Detecting which >> compiler is used and parsing/comparing version numbers is bound to be >> fragile and require a lot of maintenance over time. > > Version comparison is something computers do incredibly well and > incredibly reliably all the time, so it isn't obvious why it would > suddenly fall apart here.
Here is a slightly altered version of your patch that does this. The following packages build correctly now with this applied: chromium contextfree spek These have already switched to gcc 4.9: llvm-toolchain-snapshot openimageio These use an old style of passing buildflags that doesn't get CC/CXX exported early enough for dpkg-buildflags: flexc++ gpg-remailer oxref Those can be fixed by manually adding CC/CXX in time, e.g. export CXXFLAGS=$(shell CXX=$(CXX) dpkg-buildflags --get CXXFLAGS) but that would also require an nmu. Best wishes, Mike
diff -Nru dpkg-1.17.10/scripts/Dpkg/Vendor/Debian.pm dpkg-1.17.10+nmu1/scripts/Dpkg/Vendor/Debian.pm --- dpkg-1.17.10/scripts/Dpkg/Vendor/Debian.pm 2014-05-30 16:30:50.000000000 +0000 +++ dpkg-1.17.10+nmu1/scripts/Dpkg/Vendor/Debian.pm 2014-06-29 04:53:06.000000000 +0000 @@ -93,6 +93,21 @@ bindnow => 0, ); + # Use -fstack-protector-strong starting with gcc 4.9. + my $cc = ''; + if (defined $ENV{CXX}) { + $cc = $ENV{CXX}; + } elsif (defined $ENV{CC}) { + $cc = $ENV{CC}; + } + my $use_stackprotector_strong = 1; + if ($cc ne '') { + my @cc_version = split('\.', qx($cc -dumpversion)); + if ($cc =~ /g??-/ and $cc_version[0] == 4 and $cc_version[1] < 9) { + $use_stackprotector_strong = 0; + } + } + # Adjust features based on Maintainer's desires. my $opts = Dpkg::BuildOptions->new(envvar => 'DEB_BUILD_MAINT_OPTIONS'); foreach my $feature (split(/,/, $opts->get('hardening') // '')) { @@ -129,6 +144,12 @@ # compiler supports it incorrectly (leads to SEGV) $use_feature{stackprotector} = 0; } + if ($arch =~ /^(?:m68k|or1k|powerpcspe|sh4|x32)$/) { + # "Strong" stack protector disabled on m68k, or1k, powerpcspe, sh4, x32. + # It requires GCC 4.9 and these archs are still using 4.8 as of + # gcc-defaults 1.128. + $use_stackprotector_strong = 0; + } if ($cpu =~ /^(?:ia64|hppa|avr32)$/) { # relro not implemented on ia64, hppa, avr32. $use_feature{relro} = 0; @@ -161,13 +182,23 @@ # Stack protector if ($use_feature{stackprotector}) { - $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); - $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + if ($use_stackprotector_strong) { + $flags->append('CFLAGS', '-fstack-protector-strong'); + $flags->append('OBJCFLAGS', '-fstack-protector-strong'); + $flags->append('OBJCXXFLAGS', '-fstack-protector-strong'); + $flags->append('FFLAGS', '-fstack-protector-strong'); + $flags->append('FCFLAGS', '-fstack-protector-strong'); + $flags->append('CXXFLAGS', '-fstack-protector-strong'); + $flags->append('GCJFLAGS', '-fstack-protector-strong'); + } else { + $flags->append('CFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('OBJCFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('OBJCXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('FFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('FCFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('CXXFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + $flags->append('GCJFLAGS', '-fstack-protector --param=ssp-buffer-size=4'); + } } # Fortify Source