Heads-up: dpkg-buildflags switching to -fstack-protector-strong
Hi,
dpkg-buildflags will soon start using -fstack-protector-strong instead
of -fstack-protector as the compiler flag used to enable stack
protection. The new flag is a new feature introduced in GCC 4.9, more
information is available here:
https://lwn.net/Articles/584225/
http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/
https://fedorahosted.org/fesco/ticket/1128
There was a previous discussion about this on the dpkg mailing list, see:
https://lists.debian.org/debian-dpkg/2014/06/msg00031.html
In preparation of this switch David Suárez did a full archive rebuild on
EC2, the results of which are detailed in the post linked above.
In summary, the bulk of the failures is for packages that explicitly use
an older GCC version, which doesn't understand -fstack-protector-strong.
If your package is affected, you will need to filter out the new flag
and re-add the old one, or disable stack protection entirely (which is
the least preferred option). See dpkg-buildflags(1) for details on how
to do this.
Also, if your package uses hardening-wrapper or hardening-includes, now
would be a good time to switch to dpkg-buildflags.
Finally, please note that this new flag will not be used on m68k, or1k,
powerpcspe, sh4, and x32. The stack protector itself is currently
disabled on ia64, alpha, mips, mipsel, hppa, and arm64.
If you have any concerns or comments about this, please voice them now.
Thanks,
--
Romain Francoise <rfrancoise@debian.org>
http://people.debian.org/~rfrancoise/
Reply to: