[Bug other/112897] New: Have a configure option for all common flags used by default on distros

[Bug other/112897] New: Have a configure option for all common flags used by default on distros

[ago at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112897

            Bug ID: 112897
           Summary: Have a configure option for all common flags used by
                    default on distros
           Product: gcc
           Version: 13.2.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: other
          Assignee: unassigned at gcc dot gnu.org
          Reporter: ago at gentoo dot org
  Target Milestone: ---

Historically, distro like Gentoo Hardened, used patches to make gcc compile by
default with pie/ssp.

After a lot of years these patches are not anymore needed because they have
been 'translated' into a configure option by upstream (-enable-default-pie
--enable-default-ssp), so I'm wondering about create a proper configure option
for the mostly used flags used on distros.

That means do the job once upstream, and then distros can use the proper
configure option while atm distros need to rebase patches on each gcc bump.

This is what I have found from a rapid search:

Debian:
https://salsa.debian.org/toolchain-team/gcc/-/blob/master/debian/patches/gcc-distro-specs.diff

Fedora (there are other unrelated patches):
https://download.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/source/tree/Packages/g/gcc-13.2.1-5.fc40.src.rpm

Gentoo (there are other unrelated patches):
https://gitweb.gentoo.org/proj/gcc-patches.git/tree/13.2.0/gentoo

What do you think?

[Bug other/112897] Have a configure option for all common flags used by default on distros

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112897

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
We don't want people go wild with changing defaults and delivering a totally
different (bad?) experience or doing that too easily.

You can always use specs to do this for example.

But yeah, SUSE carries a patch adding a 'defaults.spec' for this.

What's the flag you want to enable this time?  IMHO different configure
flags for hardening defaults are the way to go.

[Bug other/112897] Have a configure option for all common flags used by default on distros

[ago at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112897

--- Comment #2 from Agostino Sarubbo <ago at gentoo dot org> ---
I don't know if I was able to provide the concept, but in other words if we
know that something like -fstack-clash-protection is widely used nowadays, it
make no sense rebase patches for 10 years and then in the 2033 make the proper
configure option :)

> What's the flag you want to enable this time?

I'm not a gcc downstream maintainer so I can speak for what I can see as
external people, so you might want to involve downstream maintainers.
From what I can see I'd say that a starting point is:

-D_FORTIFY_SOURCE=2
-D_FORTIFY_SOURCE=3
-fstack-clash-protection
-fcf-protection
-z,relro / -z now
_GLIBCXX_ASSERTIONS
-Wformat
-Wformat-security

[Bug other/112897] Have a configure option for all common flags used by default on distros

[egallager at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112897

Eric Gallager <egallager at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |egallager at gcc dot gnu.org,
                   |                            |mpolacek at gcc dot gnu.org

--- Comment #3 from Eric Gallager <egallager at gcc dot gnu.org> ---
(In reply to Agostino Sarubbo from comment #2)
> I don't know if I was able to provide the concept, but in other words if we
> know that something like -fstack-clash-protection is widely used nowadays,
> it make no sense rebase patches for 10 years and then in the 2033 make the
> proper configure option :)
> 
> > What's the flag you want to enable this time?
> 
> I'm not a gcc downstream maintainer so I can speak for what I can see as
> external people, so you might want to involve downstream maintainers.
> From what I can see I'd say that a starting point is:
> 
> -D_FORTIFY_SOURCE=2
> -D_FORTIFY_SOURCE=3
> -fstack-clash-protection
> -fcf-protection
> -z,relro / -z now
> _GLIBCXX_ASSERTIONS
> -Wformat
> -Wformat-security

This sounds like basically the same set of options enabled by the new
-fhardened flag coming in GCC 14?

[Bug other/112897] Have a configure option for all common flags used by default on distros

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112897

--- Comment #4 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Agostino Sarubbo from comment #0)
> Fedora (there are other unrelated patches):
> https://download.fedoraproject.org/pub/fedora/linux/development/rawhide/
> Everything/source/tree/Packages/g/gcc-13.2.1-5.fc40.src.rpm

Fedora GCC doesn't change defaults from upstream.

Flags like -D_FORTIFY_SOURCE=3 are added by the Fedora build system when
building RPMs, they are not hardcoded as defaults into gcc itself.

[Bug other/112897] Have a configure option for all common flags used by default on distros

[sjames at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112897

Sam James <sjames at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |arsen at gcc dot gnu.org,
                   |                            |sjames at gcc dot gnu.org,
                   |                            |toolchain at gentoo dot org

--- Comment #5 from Sam James <sjames at gcc dot gnu.org> ---
This doesn't represent our position in packaging GCC in Gentoo and I don't know
why this bug was filed. Agostino isn't affiliated with that work.

If we have proposals to make, we'll make them, but we don't have any in the
works.

We supported the -fhardened proposal and were pleased to see it make it into
14.

[Bug other/112897] Have a configure option for all common flags used by default on distros

[dilfridge at gentoo dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112897

Andreas K. Huettel <dilfridge at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dilfridge at gentoo dot org

--- Comment #6 from Andreas K. Huettel <dilfridge at gentoo dot org> ---
Please ignore this bug.

Ago is not a member of the Gentoo toolchain team and does not speak for it.

I am sorry for the spam.

Regards, 
Andreas
(Gentoo Toolchain team lead)
https://wiki.gentoo.org/wiki/Project:Toolchain

[Bug other/112897] Have a configure option for all common flags used by default on distros

[agostino.sarubbo at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112897

Agostino Sarubbo <agostino.sarubbo at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #7 from Agostino Sarubbo <agostino.sarubbo at gmail dot com> ---
Let's make a bit of clarification.

This bug is intended as a general improvement idea.

I never said to talk for Gentoo nor to talk on behalf of the Gentoo toolchain
project (which I'm not part of).

If people get confused about the fact that I was speaking for Gentoo, then I'm
sorry but that was outside my intention.

@Andreas K. Huettel:
Sam James already stated that I'm not speaking for Gentoo/Gentoo Toolchain, so
I understand that repeat it make more happy and you are free to do that.
However state 'please ignore this bug' is a bit disrispectful.

I'm closing by myself.