On 6/15/17 11:20 AM, Matthias Maier wrote: > Hi Michael, > > On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman > <thygreatswagged...@gmail.com> wrote: > >> So I was just wondering if ~arch is ready for more secure defaults on >> the 17.0 profiles in the linker flags. There are several >> distributions which ship RELRO by default and I am not aware of any >> performance issues regarding this. > > We (i.e. toolchain) are in the process of enabling quite a number of > security hardening features on default profiles. In particular > > - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles >
there should be a way of turning these off systematically. the advantage of the current hardened gcc specs is that one can switch between them using gcc-config. if these are forced on for the default profile then there will be no easy way to systematically turn them off. for those who don't used hardened, gcc-config -l on hardened profile gives: [1] x86_64-pc-linux-gnu-5.4.0 * [2] x86_64-pc-linux-gnu-5.4.0-hardenednopie [3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp [4] x86_64-pc-linux-gnu-5.4.0-hardenednossp [5] x86_64-pc-linux-gnu-5.4.0-vanilla while on the default profiles it gives: [1] x86_64-pc-linux-gnu-5.4.0 * [5] on the hardened profile is equivalent to [1] on the vanilla. maybe we should consider merging the hardened and default profiles? -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
