From owner-freebsd-ports@freebsd.org Mon Aug 31 18:37:28 2015 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3ACA19C65B0 for ; Mon, 31 Aug 2015 18:37:28 +0000 (UTC) (envelope-from pfg@FreeBSD.org) Received: from nm35-vm8.bullet.mail.bf1.yahoo.com (nm35-vm8.bullet.mail.bf1.yahoo.com [72.30.239.58]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E29B8CE4 for ; Mon, 31 Aug 2015 18:37:27 +0000 (UTC) (envelope-from pfg@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1441046046; bh=42PvFDpYr9tAHSOgmcunjyLvODNgDyex4u1KB7oFBPA=; h=From:Subject:To:Cc:Date:From:Subject; b=DgUEsbcFEtHeijyoDkIpmhzJF9eJ0SQCQPdkWGLdAVB55Mij6fMjorRay1YTjFtXK/YQyCBk8WkxLejOF/QQEN61Y4Hu837AB8lZ1WwC4x6xNOvMxNXbHEuJrv/XZe9oGqebiIRG07rO9jVlTMGI7pmuA3eSCmYH+OTA/j7esmwaBPBomi69SBTQ7a3RPIrH+qzPcO99gJz0AfuYm1fZBa0u7HdTVLDzKu7kTl649yl3f575aGIy/42vmIDhSkotFS7BYzdHI/2y+oEahH2zTPhWmG1rr1Kmsbl5ctnmtpvZ9/9E+28RWd5jO975vYviSpitYnhtTKwu53Ux73F7Nw== Received: from [98.139.214.32] by nm35.bullet.mail.bf1.yahoo.com with NNFMP; 31 Aug 2015 18:34:06 -0000 Received: from [68.142.230.77] by tm15.bullet.mail.bf1.yahoo.com with NNFMP; 31 Aug 2015 18:34:06 -0000 Received: from [127.0.0.1] by smtp234.mail.bf1.yahoo.com with NNFMP; 31 Aug 2015 18:34:06 -0000 X-Yahoo-Newman-Id: 308686.11416.bm@smtp234.mail.bf1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: XYnwuJgVM1nrF7lWI2cNhY_QZvgUUM3rHP6b8SIjs8ZTmmh ihRdRf26X8PFKSwtbSEe04DHASPC6xXKrKWeqF9iY04HH9OwM.Dby27RtZXl m4YkRZ8NGuj8Tc.TOP6cxkenriqa1bqCy1cLnBxrDTjnoOIVgNYqc5Cnyt1s o8uYgS_ByeMQK7Qp9qCqQnnDfw7T3GAVgfaAVgTES2EEIRIQ.eUc1dS5JeUp BNkSD4NTr..R8b2GcROhGkUSYfQrIPAdfvRUs074PkUs3sfpRG8zVXNH5hTe HQhA_vruzjV23.2tolXPVJn.OZ.Y3w39tE6NLv1Ou8upU_BdDhs8XbJtLZKt r9jXYveMYlv6h0dBj8L9XO67kmgyq8uvBNdIsgiTMObRBTgq4YJQiLILokXd IJHeKRY.II2rEyM9p.91_lVimn3ftmztbXkZkXcFexzz48BRwqZZ3KJxMA5e m1G.TM4zoysH0E_I8NJ6oo5GTFLhztN.FV7KqSYWwXS5Sm0YIKz2kO5R9zJX kYDGpfB1YeQ15YpIkokeYy0AFEEyepuTq X-Yahoo-SMTP: xcjD0guswBAZaPPIbxpWwLcp9Unf From: Pedro Giffuni Subject: [CFdiscussion] ports and FORTIFY_SOURCE To: freebsd-ports@FreeBSD.org Cc: Oliver Pinter Message-ID: <55E49E1E.2080005@FreeBSD.org> Date: Mon, 31 Aug 2015 13:34:06 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Aug 2015 18:37:28 -0000 Dear ports developers; This year I mentored Oliver Pinter's GSoC project [1] to port FORTIFY_SOURCE to FreeBSD. The project was more complex than we thought initially but it was successful. For those of you that haven't heard of it, it's a trick supported by libc to enable bounds-checking on common string and memory functions. The code has gone through extensive testing with both clang and the base gcc. It should work fine with newer gcc but it is untested there. To activate it you will just need to add -D_FORTIFY_SOURCE=1 (or 2) in the CFLAGS and that will transparently add the extra checks. The code is non invasive but some ports (firefox, emacs) actually choose to run with this flag on by default and an exp-run found some errors in those cases. There are currently two remaining PRs with patches for mail/ifile (202572) and net-p2p/namecoin (2012603), getting those committed soon would avoid traumas in the ports tree once FORTIFY_SOURCE is committed. In the future it would be nice to support a flag within ports to enable or disable this extra flag for specific ports. I am unsure exactly how to do it, it could be something as simple as USE_FORTIFY= yes or as complex as USES= compiler:fortify=0 (0 disables it, 1 is standard for clang. 2 is standard for gcc) I plan to bring this code to FreeBSD-11 only. I am unsure exactly when the code will be brought in though. At this time, I am just giving more time for reviewers [2] but I thought I'd give some more space for feedback from the ports as well since they will see the greatest benefits from this framework. Regards, Pedro. [1] https://wiki.freebsd.org/SummerOfCode2015/FreeBSDLibcSecurityExtensions [2] https://reviews.freebsd.org/D3459