Hi Michael, On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman <thygreatswagged...@gmail.com> wrote:
> So I was just wondering if ~arch is ready for more secure defaults on > the 17.0 profiles in the linker flags. There are several > distributions which ship RELRO by default and I am not aware of any > performance issues regarding this. We (i.e. toolchain) are in the process of enabling quite a number of security hardening features on default profiles. In particular - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles - enable additional hardening features for glibc-2.25 and newer (will be merged soon). But, yes. Updated linker flags are a very good point. I have put updated linker flags on the toolchain meeting agenda for next week. The hardened profiles (even used without a hardened kernel) will serve an important difference in the future. While we try to enable as many security features on default profiles as possible, we have to compromise between security features and not introducing regressions. The hardened profiles will thus have more aggressive security features enabled for the foreseeable future (at the cost of more potential breakage). Best, Matthias
