[CFdiscussion] ports and FORTIFY_SOURCE
bapt at FreeBSD.org
Wed Sep 2 15:12:44 UTC 2015
On Mon, Aug 31, 2015 at 01:34:06PM -0500, Pedro Giffuni wrote:
> Dear ports developers;
> This year I mentored Oliver Pinter's GSoC project  to port
> FORTIFY_SOURCE to FreeBSD. The project was more complex than we
> thought initially but it was successful.
> For those of you that haven't heard of it, it's a trick supported by
> libc to enable bounds-checking on common string and memory functions.
> The code has gone through extensive testing with both clang and the
> base gcc. It should work fine with newer gcc but it is untested there.
> To activate it you will just need to add -D_FORTIFY_SOURCE=1 (or 2) in
> the CFLAGS and that will transparently add the extra checks. The code
> is non invasive but some ports (firefox, emacs) actually choose to run
> with this flag on by default and an exp-run found some errors in those
> There are currently two remaining PRs with patches for mail/ifile
> (202572) and net-p2p/namecoin (2012603), getting those committed soon
> would avoid traumas in the ports tree once FORTIFY_SOURCE is committed.
> In the future it would be nice to support a flag within ports to enable
> or disable this extra flag for specific ports. I am unsure exactly how
> to do it, it could be something as simple as
> USE_FORTIFY= yes
> or as complex as
> USES= compiler:fortify=0
> (0 disables it, 1 is standard for clang. 2 is standard for gcc)
IMHO it should be done the exact same way as SSP was added. meaning always
activated and ports that are not playing safely with it should explicitly
disable it via:
and a WITHOUt_FORTIFY (like we have a WITHOUT_SSP) should be added for people
willing to entirely remove it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 181 bytes
Desc: not available
More information about the freebsd-ports