From owner-freebsd-ports@FreeBSD.ORG Sun May 30 02:53:31 2010 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A4821065674 for ; Sun, 30 May 2010 02:53:31 +0000 (UTC) (envelope-from yanefbsd@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id A76DA8FC13 for ; Sun, 30 May 2010 02:53:30 +0000 (UTC) Received: by vws12 with SMTP id 12so3491719vws.13 for ; Sat, 29 May 2010 19:53:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=XaoUzqn2sNLg3xV/dmdGFv06WHlqD+fuFkgRRrSCvxs=; b=G0GS5Gtfpj/XyvlY07vhhTdBVV08BsqB8ze84dl++nEfoWirNBT/0VYd7HRP3d+9LZ Z2nFyPArbohbI2KXpsEWCI1MuMSWUXofB/Vd5uIADt8ar+y+Eigeu3sChr0wLfJBOqxM pkB9bzuVJIHnZqtKWCVMRi+q0yE1t42o1r5S8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Q8mYNR3Q/ZOlJ227xYH1VYD/oXAus39jsz7/xaiAtidWfTfaiNLRyFI+0MnJFoAGkJ 3MxqzOiwp21DM1exfFiEbqajkb86TTo/JcPWCTE8YpYCnzxyUoPNx0QoXoUCuG4i+Q37 ePT91cUI7It1J+4DF71tGxnDVAHwEIDSiJd+U= MIME-Version: 1.0 Received: by 10.229.183.146 with SMTP id cg18mr414273qcb.17.1275188009522; Sat, 29 May 2010 19:53:29 -0700 (PDT) Received: by 10.229.190.83 with HTTP; Sat, 29 May 2010 19:53:29 -0700 (PDT) In-Reply-To: References: Date: Sat, 29 May 2010 19:53:29 -0700 Message-ID: From: Garrett Cooper To: Janne Snabb Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-ports@freebsd.org Subject: Re: Building ports with stack-protector X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 May 2010 02:53:31 -0000 On Sat, May 29, 2010 at 7:19 PM, Janne Snabb wrote: > Hi, > > Big thanks to the folks who made "make buildworld" to use > -fstack-protector by default since 8.0. This should make FreeBSD > more secure. > > How about the ports system? > > I tried to re-build all my ports some time ago with the stack-protector > enabled by adding -fstack-protector in CFLAGS in /etc/make.conf. > Most ports build & work fine with this enabled, but there are several > exceptions. Some libraries cannot be compiled with this (either the > build fails or linking other programs which use the library later > fail). Also some programs that do strange things fail to build or > run. > > IMHO it would make sense to make some sort of framework in the ports > system to support this. I think there should be a port Makefile > knob which tells if the port can be built with the stack-protector > or not. Now it is difficult to determine on port-by-port basis if > it can be enabled or not. > > Is there any work or plans to accomplish this? > > It would be great to compile at least all the network facing server > programs with this enabled. I have an impression that more than 90% > of programs can be compiled with the stack-protector. For libraries > the percentage might be less. > > What do you think? While this might be an interesting feature, I think that there must be a line drawn at what is and what isn't acceptable to maintain. Check and see whether or not a similar feature exists in other compilers. If so, then I'd start noting which ports are and which aren't usable with this feature, and maybe approach the portmgr folks to see what they think. Maintaining this feature would be a pain though because it would require a lot more QA work beyond just seeing whether or not things build. Cheers, -Garrett