[CFT] SSP Package Repository available

[Bryan Drewery]

On 9/21/2013 5:49 AM, Bryan Drewery wrote:
> Ports now support enabling Stack Protector [1] support on FreeBSD 10
> i386 and amd64, and older releases on amd64 only currently.
> 
> Support may be added for earlier i386 releases once all ports properly
> respect LDFLAGS.
> 
> To enable, just add WITH_SSP=yes to your make.conf and rebuild all ports.
> 
> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all
> may optionally be set instead.
> 
> Please help test this on your system. We would like to eventually enable
> this by default, but need to identify any major ports that have run-time
> issues due to it.
> 
> [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
> 

We have not had any feedback on this yet and want to get it enabled by
default for ports and packages.

We now have a repository that you can use rather than the default to
help test. We need your help to identify any issues before switching the
default.

This repository is available for:

head
10.0
9.1,9.2,9.3

It is not available for 8.4. If someone is willing to test on 8.4 I will
build a repository for it.

Place this in /usr/local/etc/pkgs/repos/FreeBSD_ssp.conf:

FreeBSD: { enabled: no }
FreeBSD_ssp: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/ssp",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}

Once that is done you should force reinstall packages from this repository:

  pkg update
  pkg upgrade -f

Thanks for your help!
Bryan Drewery
On behalf of portmgr.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140820/69ef232c/attachment.sig>