From nobody Wed Jun 17 22:40:54 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ggf2t6XRKz6hvn3
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Wed, 17 Jun 2026 22:40:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "YR1" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ggf2t3KnKz4K0f
	for <dev-commits-src-main@FreeBSD.org>; Wed, 17 Jun 2026 22:40:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781736054;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5KkUyLktgG5/o3mmXH16oBrRKv5xiMtvFy2fBS8HAH4=;
	b=xTXseggJqYrMV8rHUYvzoVm+JBADpjRgovmHkfABnUJIiBLX8S2npwaWgSZBTsY4Nixz//
	RmpM8MV5PeDIkZHhGYYt2eh6qiVsMX5jJ/1PLBao8TabmhwJubCHz2l3EWabytnhAAa4JX
	k0nBZs3PDoL8gJ1kiOnLnM2Db8P/o87IhYErWJGDGzgX6dtt+vdefBu5wKDRTXgLTsKCEZ
	4vKDKHJm4GGn2d5ECOOoTA1xAS7PfjddyevdkyqmVYD3j2WRxheMXLZVklaklklTHlzFWS
	RvoWm3u5PQ9c3khRF1Ped2/06AV/0Q1HGx91NmiAyysEvmyWcjM35yWYeyWmWQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781736054; a=rsa-sha256; cv=none;
	b=gUrEPqZHRPnlDMjhr14HrYgqppKtq8BJG0tHqoVO+rTnzHbsSxsZ4dLp/aACRW/G05mae7
	unhdBnAySsX2ZLK9kV7+VxALSGqHUZ2g4te1Rp4mPoV3gQfxu6HUGDMrLLu4F+rBdfhL0o
	UR1fMqqOEWwR2SvxNJ1r3lm5WUExSNgYPjjl1YLD1Y25CZo8xi6Y+vCEMEAgWE0Vra2KJs
	v/BBIwi9gaJw+bXjxCQYNGVW/2NDl1FwWBWJDRUdE0k2MtIW5NzlRZWRStm41dyc2hFSXb
	05+UZaIVw2nl69YHzrR6m8iooFckM09F+N3GselgGhmxtAeVMTMqezGFgApxBA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781736054;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=5KkUyLktgG5/o3mmXH16oBrRKv5xiMtvFy2fBS8HAH4=;
	b=x90ZLUa7xHD48noKMo8tzeoFmECALCc5iqpYbs9/QBbU8Imyb29bl/Ora2mIdDWrpU42+w
	Khiah+QF3XPYkqPyv6T3LQA4JUrU5Kf32C3Cg2st501wFPbCDaWgZVO2rwy5VL2+1KD6xC
	lz7WKLsITsJCq+f5UiaUAD0NYPWCDp8jxKasYc9a1YOuts+Xbqgs2PyYWDfSYN07messh4
	jTVzEcHkIh3/QY3VUyokLYYWDRn+6Ir4J7fW7qb4dLaETRaxmkw5mH1ytjlQRC8FSfQCWZ
	5Nbb36PfFRjSiFFYEGZcwuzsn0tBkvlyrMHQ+Wm2xHrT25j3uqwva/4ruKc44g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4ggf2t2PD3zXgp
	for <dev-commits-src-main@FreeBSD.org>; Wed, 17 Jun 2026 22:40:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 4778c
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 17 Jun 2026 22:40:54 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Kyle Evans <kevans@FreeBSD.org>
Subject: git: 13184a69faa7 - main - build: provide a FORTIFY_SOURCE.<src file> override
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
List-Id: <dev-commits-src-main.FreeBSD.org>
List-Post: <mailto:dev-commits-src-main@FreeBSD.org>
List-Help: <mailto:dev-commits-src-main+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: kevans
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 13184a69faa700319ab16357cd39708a0e89fc15
Auto-Submitted: auto-generated
Date: Wed, 17 Jun 2026 22:40:54 +0000
Message-Id: <6a332276.4778c.72ea74c8@gitrepo.freebsd.org>

The branch main has been updated by kevans:

URL: https://cgit.FreeBSD.org/src/commit/?id=13184a69faa700319ab16357cd39708a0e89fc15

commit 13184a69faa700319ab16357cd39708a0e89fc15
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2026-06-17 22:40:46 +0000
Commit:     Kyle Evans <kevans@FreeBSD.org>
CommitDate: 2026-06-17 22:40:46 +0000

    build: provide a FORTIFY_SOURCE.<src file> override
    
    For native files we can do more minimal fixes to avoid this large of a
    hammer, but for third party files it may not be worth the effort to try
    and patch them.  NetBSD has the original _FORTIFY_SOURCE implementation
    that ours is based on, for instance, but tests sourced from there can't
    do an __ssp_real(foo) without being certain that `foo` actually has a
    fortified definition.
    
    This change does always define _FORTIFY_SOURCE as a result, so gate it
    on CFLAGS not already containing _FORTIFY_SOURCE definitions.
    
    This re-applies c46a0b59071614, but without re-defining _FORTIFY_SOURCE
    needlessly.
    
    PR:             294881
    Reviewed by:    markj, sjg (both previous version)
    Differential Revision:  https://reviews.freebsd.org/D57356
---
 share/mk/bsd.sys.mk | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/share/mk/bsd.sys.mk b/share/mk/bsd.sys.mk
index 4ffac401eb4c..139cb8bec843 100644
--- a/share/mk/bsd.sys.mk
+++ b/share/mk/bsd.sys.mk
@@ -307,9 +307,6 @@ CLANG_OPT_SMALL+= -mllvm -simplifycfg-dup-ret
 CLANG_OPT_SMALL+= -mllvm -enable-load-pre=false
 CFLAGS.clang+=	 -Qunused-arguments
 
-# XXX This should be defaulted to 2 when WITH_SSP is in use after further
-# testing and soak time.
-FORTIFY_SOURCE?=	0
 .if ${MK_SSP} != "no"
 # Don't use -Wstack-protector as it breaks world with -Werror.
 .if ${COMPILER_FEATURES:Mstackclash}
@@ -319,9 +316,19 @@ SSP_CFLAGS?=	-fstack-protector-strong
 .endif
 CFLAGS+=	${SSP_CFLAGS}
 .endif # SSP
-.if ${FORTIFY_SOURCE} > 0
-CFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
-CXXFLAGS+=	-D_FORTIFY_SOURCE=${FORTIFY_SOURCE}
+
+# XXX This should be defaulted to 2 when WITH_SSP is in use after further
+# testing and soak time.
+FORTIFY_SOURCE?=	0
+
+# We want to avoid defining _FORTIFY_SOURCE if it's set to 0, but we rely on
+# deferred-evaluation for ${.IMPSRC} to expand.  The below construction
+# is, unfortunately, necessary.
+.if empty(CFLAGS:M-D_FORTIFY_SOURCE*)
+CFLAGS+=	${FORTIFY_SOURCE.${.IMPSRC:T}:U${FORTIFY_SOURCE}:S/^/-D_FORTIFY_SOURCE=/:N*=0}
+.endif
+.if empty(CXXFLAGS:M-D_FORTIFY_SOURCE*)
+CXXFLAGS+=	${FORTIFY_SOURCE.${.IMPSRC:T}:U${FORTIFY_SOURCE}:S/^/-D_FORTIFY_SOURCE=/:N*=0}
 .endif
 
 # Additional flags passed in CFLAGS and CXXFLAGS when MK_DEBUG_FILES is