Andres Freund <and...@anarazel.de> writes: > On 2022-08-30 13:24:39 -0400, Tom Lane wrote: >> Andres Freund <and...@anarazel.de> writes: >>> Perhaps it'd be saner to default to building with -Wl,-z,now? That should >>> fix >>> the problem too, right (and if we combine it with relro, it'd be a security >>> improvement to boot).
>> Hm. Not sure if that works on NetBSD, but I'll check it out. > FWIW, it's a decently (well over 10 years) old thing I think. And it's > documented in > the netbsd ld manpage and their packaging guide (albeit indirectly, with their > tooling doing the work of specifying the flags): > https://www.netbsd.org/docs/pkgsrc/hardening.html#hardening.audit.relrofull It does appear that they use GNU ld, and I've just finished confirming that each of those switches has the expected effects on my PPC box. So yeah, this looks like a better answer. Do we want to install this just for NetBSD, or more widely? I think we'd better back-patch it for NetBSD, so I'm inclined to be conservative about the change. regards, tom lane
