Building ports with stack-protector

[Garrett Cooper]

On Sat, May 29, 2010 at 7:19 PM, Janne Snabb <snabb at epipe.com> wrote:
> Hi,
>
> Big thanks to the folks who made "make buildworld" to use
> -fstack-protector by default since 8.0. This should make FreeBSD
> more secure.
>
> How about the ports system?
>
> I tried to re-build all my ports some time ago with the stack-protector
> enabled by adding -fstack-protector in CFLAGS in /etc/make.conf.
> Most ports build & work fine with this enabled, but there are several
> exceptions. Some libraries cannot be compiled with this (either the
> build fails or linking other programs which use the library later
> fail). Also some programs that do strange things fail to build or
> run.
>
> IMHO it would make sense to make some sort of framework in the ports
> system to support this. I think there should be a port Makefile
> knob which tells if the port can be built with the stack-protector
> or not. Now it is difficult to determine on port-by-port basis if
> it can be enabled or not.
>
> Is there any work or plans to accomplish this?
>
> It would be great to compile at least all the network facing server
> programs with this enabled. I have an impression that more than 90%
> of programs can be compiled with the stack-protector. For libraries
> the percentage might be less.
>
> What do you think?

While this might be an interesting feature, I think that there must be
a line drawn at what is and what isn't acceptable to maintain.

Check and see whether or not a similar feature exists in other
compilers. If so, then I'd start noting which ports are and which
aren't usable with this feature, and maybe approach the portmgr folks
to see what they think.

Maintaining this feature would be a pain though because it would
require a lot more QA work beyond just seeing whether or not things
build.

Cheers,
-Garrett