On 12/15/2015 12:18 PM, Antonio Trande wrote: > Since i started to rebuild my packages for hardened builds issue, I > discovered (until now) a couple of libraries that result without > "Canary protection" according to output of 'checksec' tool.
checksec is very unreliable, unfortunately. Most of its checks can err in both directions. > 1) From point of view of packaging, is it acceptable a forcing of > -fstack-protector-all? It has a performance impact (a few percent). In general, it is bad practice to override RPM_OPT_FLAGS. > 2) Does -fstack-protector-all permit a real protection where > -fstack-protector-strong does not? These cases are GCC bugs. They do happen. Here is an example: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68680 But you should not have to worry about this; all you need to make sure is that all C/C++ sources are compiled with -fstack-protector-strong. Florian -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
