Bug#233208: Request for stack protector enabled by default
merge 213994 233208
thanks
Thomas Sjögren writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Package: gcc-3.3
> Version: 3.3.3-0pre4
> Priority: wishlist
>
> As Javier Fernandez-Sanguino Pen~a and David Alan Gilbert mentions in
> #213994 [1] it would be a good thing if the SSP patch in the GCC-package
please use follow-ups to existing reports.
> would be enabled by default. This would, hopefully, make developers
> compile packages with the -fstack-protector, or -fstack-protector-all,
> option and thus increase the basic security of Debian.
> The protector compile option has been tested successfully, for example:
> 1. The Adamantix distribution [2], based on Debian, which uses this option by
> default has recompiled many packages with this option without any real problemes.
> 2. Hardened-Gentoo [3] uses this option as well.
> 3. The recompiled gcc package made available by Steve Kemp [4] works
> without any problems on Debian stable and unstable and has been used to
> compile both 2.4 and 2.6 vanilla kernels [5] and a number of different
> packages and programs (Apache, the GCC-packege itself, ...).
the patch will not be enabled for the upcoming sarge release. the
toolchain is frozen. I don't know if it will be enabled for sid. you
show that some testing on ix86 has been done, but not for other
architectures. My point for not enabling it is that I don't have the
resources to have an upstream compiler for each affected architecture
and the time to revalidate each report submitted to the Debian BTS
with an upstream compiler.
Matthias
Reply to: