Russell Coker wrote:
It sounds like we need a propolice enabled GCC.
I have talked to Matthias Klose, one of the GCC maintainers, about this. He included the patch so he could built ProPolice-enables packages of gcc and g++ but he's currently too busy with other things. He might accept a patch that builds these packages but we really need to hurry if we want these compilers released with sarge. Maybe some of the Adamantix developers will help?
However, ProPolice has not been ported to all architectures yet, see http://www.research.ibm.com/trl/projects/security/ssp/statuschart.html for details.
There are other stack protection mechanisms too, but propolice seems the most popular. Some investigation would need to be done into the relative merits of the various options (propolice has much better support apparently which will be a major factor).
I think ProPolice is the best choice, first because Adamantix has tested it for quite some time. Second, ProPolice offers the best protection according to http://www.research.ibm.com/trl/projects/security/ssp/node4.html#SECTION00045000000000000000 and finally it even offers the best performance (http://www.research.ibm.com/trl/projects/security/ssp/node5.html).
IMHO innovations in Debian have been rare in the past 2 years (compared to other major distributions), so maybe this is a chance for Debian...
Stefan