Building ports with stack-protector
Janne Snabb
snabb at epipe.com
Sun May 30 02:19:11 UTC 2010
Hi,
Big thanks to the folks who made "make buildworld" to use
-fstack-protector by default since 8.0. This should make FreeBSD
more secure.
How about the ports system?
I tried to re-build all my ports some time ago with the stack-protector
enabled by adding -fstack-protector in CFLAGS in /etc/make.conf.
Most ports build & work fine with this enabled, but there are several
exceptions. Some libraries cannot be compiled with this (either the
build fails or linking other programs which use the library later
fail). Also some programs that do strange things fail to build or
run.
IMHO it would make sense to make some sort of framework in the ports
system to support this. I think there should be a port Makefile
knob which tells if the port can be built with the stack-protector
or not. Now it is difficult to determine on port-by-port basis if
it can be enabled or not.
Is there any work or plans to accomplish this?
It would be great to compile at least all the network facing server
programs with this enabled. I have an impression that more than 90%
of programs can be compiled with the stack-protector. For libraries
the percentage might be less.
What do you think?
Best Regards,
--
Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/
More information about the freebsd-ports
mailing list