Rich Freeman posted on Tue, 10 Sep 2013 21:17:33 -0400 as excerpted: > On Tue, Sep 10, 2013 at 6:41 PM, Richard Yao <r...@gentoo.org> wrote: >> 1. The kernel expects -fno-stack-protector to be the default. What will >> the effect be on kernel configuration once -fstack-protector is the >> default? > > Nothing, since the kernel build system doesn't source make.conf. If > somebody creates an ebuild that actually installs a kernel then it might > be an issue, though it could be filtered if it is a problem.
If I'm not mistaken, dirtyepic intends to patch gcc directly to enable -fstack-protector, changing the default at that level so it'll be used unless -fno-stack-protector is in CFLAGS. At least, that's how I interpret (dirtyepic): "'filter-flags -fstack-protector [won't] actually work (we have to patch the compiler, not just add it to the default flags in the profiles or something)." Which means that yes, it WILL affect the kernel (and anything else separately compiled, unless -fno-stack-protector is given), since it'll then be the gentoo-patched gcc default, not in make.conf. (Tho jer points out that the parisc arch, among others, won't work with that flag at all, and warns to that effect. So I guess the patch will etiher be ifdeffed not to apply on such archs or will be conditionally applied in the first place. The former is I believe preferred as conditional patching is considered subpar.) I guess hardened should know what -fstack-protector does to the kernel, tho. But in any case it's certainly worth a news item when it happens, as people obviously build a lot of stuff with gcc independent of the tree, and I'm sure some of it will break if that becomes the default, so letting them know about it with a news item should help avoid at least /some/ of the resulting bugs from such a default-change. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman