[CFT] SSP Package Repository available

Ronald Klop ronald-lists at klop.ws
Thu Sep 18 14:28:55 UTC 2014 

On Thu, 21 Aug 2014 17:55:41 +0200, Bryan Drewery <bdrewery at freebsd.org>  
wrote:

> On 8/21/2014 6:56 AM, Ronald Klop wrote:
>> On Wed, 20 Aug 2014 18:34:22 +0200, Bryan Drewery <bdrewery at freebsd.org>
>> wrote:
>>
>>> On 9/21/2013 5:49 AM, Bryan Drewery wrote:
>>>> Ports now support enabling Stack Protector [1] support on FreeBSD 10
>>>> i386 and amd64, and older releases on amd64 only currently.
>>>>
>>>> Support may be added for earlier i386 releases once all ports properly
>>>> respect LDFLAGS.
>>>>
>>>> To enable, just add WITH_SSP=yes to your make.conf and rebuild all
>>>> ports.
>>>>
>>>> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all
>>>> may optionally be set instead.
>>>>
>>>> Please help test this on your system. We would like to eventually  
>>>> enable
>>>> this by default, but need to identify any major ports that have  
>>>> run-time
>>>> issues due to it.
>>>>
>>>> [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
>>>>
>>>
>>> We have not had any feedback on this yet and want to get it enabled by
>>> default for ports and packages.
>>>
>>> We now have a repository that you can use rather than the default to
>>> help test. We need your help to identify any issues before switching  
>>> the
>>> default.
>>>
>>> This repository is available for:
>>>
>>> head
>>> 10.0
>>> 9.1,9.2,9.3
>>>
>>> It is not available for 8.4. If someone is willing to test on 8.4 I  
>>> will
>>> build a repository for it.
>>>
>>> Place this in /usr/local/etc/pkgs/repos/FreeBSD_ssp.conf:
>>>
>>> FreeBSD: { enabled: no }
>>> FreeBSD_ssp: {
>>>   url: "pkg+http://pkg.FreeBSD.org/${ABI}/ssp",
>>>   mirror_type: "srv",
>>>   signature_type: "fingerprints",
>>>   fingerprints: "/usr/share/keys/pkg",
>>>   enabled: yes
>>> }
>>>
>>> Once that is done you should force reinstall packages from this
>>> repository:
>>>
>>>   pkg update
>>>   pkg upgrade -f
>>>
>>> Thanks for your help!
>>> Bryan Drewery
>>> On behalf of portmgr.
>>>
>>
>>
>> Hi,
>>
>> Is it necessary to upgrade all packages at once or can I just enable
>> WITH_SSP and upgrade ports as they are updated in the ports tree?
>>
>
> You can let them update on their own if you wish. Of course SSP won't be
> in the binaries until they are rebuilt.
>

Hi,

As you wanted feedback. I run with WITH_SSP_PORTS=yes in /etc/make.conf  
for about a month now on a desktop machine.
A lot of ports have recompiled in the meantime. Things like Firefox,  
icewm, urxvt, virtualbox.
No problem so far.

Cheers,
Ronald.

More information about the freebsd-ports mailing list