Date: Wed, 20 Aug 2014 14:10:24 -0400 From: Adam McDougall <mcdouga9@egr.msu.edu> To: freebsd-ports@freebsd.org Subject: Re: [CFT] SSP Package Repository available Message-ID: <53F4E490.3000907@egr.msu.edu> In-Reply-To: <34632ff93c04551e334a659512a728a9@mailbox.ijs.si> References: <523D79CD.2090302@FreeBSD.org> <53F4CE0E.8040106@FreeBSD.org> <34632ff93c04551e334a659512a728a9@mailbox.ijs.si>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/20/2014 13:20, Mark Martinec wrote: > 2014-08-20 18:34 Bryan Drewery wrote: >> On 9/21/2013 5:49 AM, Bryan Drewery wrote: >>> Ports now support enabling Stack Protector [1] support on FreeBSD 10 >>> i386 and amd64, and older releases on amd64 only currently. >>> >>> Support may be added for earlier i386 releases once all ports properly >>> respect LDFLAGS. >>> >>> To enable, just add WITH_SSP=yes to your make.conf and rebuild all >>> ports. >>> >>> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all >>> may optionally be set instead. >>> >>> Please help test this on your system. We would like to eventually enable >>> this by default, but need to identify any major ports that have run-time >>> issues due to it. >>> >>> [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection >>> >> >> We have not had any feedback on this yet and want to get it enabled by >> default for ports and packages. >> >> We now have a repository that you can use rather than the default to >> help test. We need your help to identify any issues before switching the >> default. >> >> This repository is available for: >> >> head >> 10.0 >> 9.1,9.2,9.3 >> >> It is not available for 8.4. If someone is willing to test on 8.4 I will >> build a repository for it. >> >> Place this in /usr/local/etc/pkgs/repos/FreeBSD_ssp.conf: >> >> FreeBSD: { enabled: no } >> FreeBSD_ssp: { >> url: "pkg+http://pkg.FreeBSD.org/${ABI}/ssp", >> mirror_type: "srv", >> signature_type: "fingerprints", >> fingerprints: "/usr/share/keys/pkg", >> enabled: yes >> } >> >> Once that is done you should force reinstall packages from this >> repository: >> >> pkg update >> pkg upgrade -f >> >> Thanks for your help! >> Bryan Drewery >> On behalf of portmgr. > > I'm building about 2000 ports for our 10.0 servers and workstations using > poudriere since the 10.0 release, using WITH_SSP_PORTS=yes in poudriere's > make.conf. I suppose the WITH_SSP_PORTS=yes is equivalent to WITH_SSP=yes > but limited to ports (not sure where I got this setting, must have been > some announcement). > > So far I haven't come across any ill effects that I could attribute to SSP. > > Mark I concur with Mark, with my 1400+ packages for workstations and servers, I have had zero issues. This seems like a pretty safe change. I just confirmed -fstack-protector is in my build logs although less frequently than I assumed for ports such as zenity, meld, pidgin (once or twice each). Other ports such as vlc mention it 2029 times. Not sure if the low counts are expected.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53F4E490.3000907>