Re: [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes.

Thu, 09 Jan 2014 15:29:22 -0800 

On 01/09/2014 06:13 PM, Rick "Zero_Chaos" Farina wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/09/2014 06:01 PM, Anthony G. Basile wrote:

On 01/09/2014 05:21 PM, Michał Górny wrote:

Dnia 2014-01-09, o godz. 17:06:52
"Anthony G. Basile" <bluen...@gentoo.org> napisał(a):


On 01/09/2014 04:57 PM, Pacho Ramos wrote:

What are the advantages of disabling SSP to deserve that "special"
handling via USE flag or easily disabling it appending the flag?

There are some cases where ssp could break things.  I know of once case
right now, but its somewhat exotic.  Also, sometimes we *want* to break
things for testing.  I'm thinking here of instance where we want to test
a pax hardened kernel to see if it catches abuses of memory which would
otherwise be caught by executables emitted from a hardened toolchain.
Take a look at the app-admin/paxtest suite.

Just to be clear, are we talking about potential system-wide breakage
or single, specific packages being broken by SSP? In other words, are
there cases when people will really want to disable SSP completely?

Unless I'm misunderstanding something, your examples sound like you
just want -fno-stack-protector per-package. I don't really think you
actually want to rebuild whole gcc just to do some testing on a single
package...


Correct, you'd only want to turn off ssp per package and then only in
rare cases.  You should never have to rebuild gcc for this.  With ssp on
by default, gcc specs would add -fstack-protector to all builds.  If you
don't want a package build with ssp, then just do
CFLAGS="-fno-stack-protector" and you're building without ssp.


This reads very much like "the nossp use flag is useless".
I was not referring to the nossp flag. I was simply answering Michał's concern about ssp and system wide breakage. My point is that ssp on by default will NOT lead to system wide breakage, only per package and then only very very rarely. 

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : bluen...@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Reply via email to