[CFT] SSP Package Repository available

Bryan Drewery bdrewery at FreeBSD.org
Wed Aug 20 19:40:20 UTC 2014 

On 8/20/2014 2:26 PM, Matthias Andree wrote:
> Am 20.08.2014 um 18:34 schrieb Bryan Drewery:
> 
>> We have not had any feedback on this yet and want to get it enabled by
>> default for ports and packages.
> 
> Oops. Sorry about being silent about that;
> I did enable WITH_SSP_PORTS=yes right after the original announcement on
> my main 9.3-amd64 development machine (run mostly headless, but it does
> have a full GNOME2 install) without ill effects, so at least it does not
> appear to jam everything right away, and given that Fedora is using it
> and they are rather talkative to upstreams about bugs, you'd think most
> packages that have issues are fixed now.

Yeah I am sure it will largely be fine as well. I just worry about some
sloppy coding breaking some popular port, or some clever hack that
results in crashing with SSP.

I also have this vague worry that something might break if the system is
half using SSP. Given the linker script on 10 (cat cat /usr/lib/libc.so)
though I think it is definitely safe there.

Given the feedback already I am confident we'll enable it by default in
a few weeks. Too much moving right now to do it now though.

This will also free up a lot of resources for other package building
opportunities.

> 
> 
> Is there any way we can detect the effects of -fstack-protector from the
> resulting executable, with peeking at objdump output?  Like so:
> 
> $ objdump -R /usr/local/bin/twolame | grep stack_chk
> 0000000000605ce0 R_X86_64_COPY     __stack_chk_guard
> 00000000006053b0 R_X86_64_JUMP_SLOT  __stack_chk_fail
> 
> Should we have stage-qa - at least in DEVELOPER=yes WITH_SSP_PORTS=yes
> mode - check that either -fstack-protector{,-all,-strong} actually
> propagated through the build system?

I like that idea for a warning. We would have to ensure only ELF files
are checked and probably exp-run it to avoid other false-positives.


-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20140820/938af2e7/attachment.sig>

More information about the freebsd-ports mailing list