On 15/09/15 08:26 AM, Jan Alexander Steffens wrote: > Hi, > > I was quite surprised today that gcc suddenly started defaulting to > -fstack-check. After some confusion and a bit of exploration, it turned out > that hardening-wrapper, which came as a makedep with python, was > responsible. > > It is quite unfortunate that hardening-wrapper unexpectedly alters > system-wide compiler behavior. > > In addition, since makepkg layers ccache in front of hardening-wrapper, > ccache will now miss compiler updates. > > IMO it should be a makedepend on any package. If we want to harden our > packages we can do this via makepkg.conf or adjusting CFLAGS in the > PKGBUILD, not supposedly-per-package system-wide hacks. Thoughts? > > Greetings, > Jan
It's currently necessary to use PIE (ASLR) because you need different switches for building / linking executables and shared libraries. The secondary reason for it existing is to work around build systems not respecting CFLAGS/LDFLAGS (many of them). It would be great if they were all fixed, but it's unrealistic. It's only system-wide without devtools. It was done this was because my attempt to get makepkg to support this (as rpm/dpkg do on other distributions) didn't pan out.
signature.asc
Description: OpenPGP digital signature
