I've had trouble finding documentation for -D_FORTIFY_SOURCE... its not in the gcc man page. But I did find this: http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html
which gives a pretty good description. -D_FORTIFY_SOURCE=2 is by-far the most popular choice. -D_FORTIFY_SOURCE=3 looks like a debugging feature, and -D_FORTIFY_SOURCE=4 looks like a way to disable FORTIFY_SOURCE while still defining it. -D_FORTIFY_SOURCE=1 I'm not so clear on. As an effort at code auditing, I'd like to strive to use "-Wall -Werror" too. This will require patching to most packages to get their code up to date with gcc-4.1. "-Wformat=2 -Werror" (this includes -Wformat -Wformat-nonliteral -Wformat-security -Wformat-y2k) is another idea too. For those of us who don't know what vulnerable code looks like, using these options could help. After looking at the clfs book, and testing, it looks like we can drop the installation of libc-headers from chapter 5. The adjusting toolchain in chapter 5 can probably go too, only the test needs to be done and that can be done in the libc page. robert -- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
