From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id 5BDE23857347 for ; Tue, 4 Jul 2023 12:41:11 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5BDE23857347 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1688474470; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ALt6Vk4KiSme/gAu2DR9pOu8Dznxfz4k8iVLgA14Wj4=; b=BmxFJUWvKAupF30pTSdeh+vUqH8BjTxhgSFVHRYOV9GHSB5pJVQphgm/WZHXYfLIqTJo1E Q/37VmDR1eWHr9R8nruCC15NmLF7uk76XxicWiToNLzmhi/1Jg03yGB8KrIE59wKaJ1AtT LtYmG2R3QF57IsOvB8HeSWkblNbOEVo= Received: from mail-lj1-f200.google.com (mail-lj1-f200.google.com [209.85.208.200]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-593-pcLsFkvkO6yySih8GhiasQ-1; Tue, 04 Jul 2023 08:41:09 -0400 X-MC-Unique: pcLsFkvkO6yySih8GhiasQ-1 Received: by mail-lj1-f200.google.com with SMTP id 38308e7fff4ca-2b6fbef3087so904561fa.0 for ; Tue, 04 Jul 2023 05:41:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688474468; x=1691066468; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ALt6Vk4KiSme/gAu2DR9pOu8Dznxfz4k8iVLgA14Wj4=; b=f7HUUmJB+4Qv9YpXBvmiGjjhHLMA+cFDJXy8iejqj+R2FZ0p46pAmQp5QnylV9jI0X thFBp59eMiug19V9RJ4iTP6U5BBmWnsiw7hKqiV3Kry5sv75MUqk4CtukkwK+9CYlyt8 XM59NTk76IJuUc2bwqQETEe/ywhKL5tf8eoyjwAYowRuj9Jd5CxXD4w4i/230A6A7SqZ bjXzGYuch9wRBkvhlskiHE5nN/UBK+1Qx/wVojadOhIDfOnFQy5XRKUrZk2XJS6fLqk4 RlzsuNTdqCy2PInE4LpeF15GsRXGYGhS3mM8zLLI2lK/aqyCfyzPefMPc1tv+GuYijAh fquA== X-Gm-Message-State: ABy/qLbuL7YQz6HsMeDUR4pfl5KHqAvC/FmAN++YOaDejojw9eGLTFrk ZNpoHgIevbi1OAnzehNrnXEBZNQEt5f01TXy8w8QZYknu1kkCbWt4eRXClkKxDvzNdZPWXtig/C zukNwm9DtlkAFocRH7yHmGSDrTTNUahJlLBzU X-Received: by 2002:a2e:b165:0:b0:2b6:dfef:d523 with SMTP id a5-20020a2eb165000000b002b6dfefd523mr5364834ljm.50.1688474468306; Tue, 04 Jul 2023 05:41:08 -0700 (PDT) X-Google-Smtp-Source: APBJJlHtfB9NLSIdyCBna89606zU7LDsyS3WIrfSDqIt0mwPDk5xVtzJl3zvOnGW/fBM2YjQGUJFn4k46NHoTmbLIVI= X-Received: by 2002:a2e:b165:0:b0:2b6:dfef:d523 with SMTP id a5-20020a2eb165000000b002b6dfefd523mr5364809ljm.50.1688474467999; Tue, 04 Jul 2023 05:41:07 -0700 (PDT) MIME-Version: 1.0 References: <20230628084246.778302-1-fberat@redhat.com> <20230628084246.778302-17-fberat@redhat.com> <74d8f503-e056-254c-6a01-8d50cfc9f6f0@linaro.org> In-Reply-To: <74d8f503-e056-254c-6a01-8d50cfc9f6f0@linaro.org> From: Frederic Berat Date: Tue, 4 Jul 2023 14:40:57 +0200 Message-ID: Subject: Re: [PATCH v3 16/16] Add --enable-fortify-source option To: Adhemerval Zanella Netto Cc: Andreas Schwab , Siddhesh Poyarekar , libc-alpha@sourceware.org X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: multipart/alternative; boundary="000000000000e0b94705ffa89834" X-Spam-Status: No, score=-6.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: --000000000000e0b94705ffa89834 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Jul 3, 2023 at 2:51=E2=80=AFPM Adhemerval Zanella Netto < adhemerval.zanella@linaro.org> wrote: > > > On 03/07/23 05:50, Andreas Schwab wrote: > > On Jun 30 2023, Siddhesh Poyarekar wrote: > > > >> On 2023-06-28 04:42, Fr=C3=A9d=C3=A9ric B=C3=A9rat wrote: > >>> It is now possible to enable fortification through a configure option. > >>> The level may be given as parameter, if none is provided, the configu= re > >>> script will determine what is the highest level possible that can be > set > >>> considering GCC built-ins availability and set it. > >>> If level is explicitly set to 3, configure checks if the compiler > >>> supports the built-in function necessary for it or raise an error if = it > >>> isn't. > >>> The result of the configure checks is a new variables, > ${fortify_source} > >>> that can be used to appropriately populate CFLAGS. > >>> Updated NEWS and INSTALL. > >>> Adding dedicated x86_64 variant that enables the configuration. > >> > >> Adhemerval, do you still think we should drop this and only look at > >> CFLAGS? I am still not a 100% convinced that we should only look at > >> CFLAGS (it gives much less control which makes me uneasy) but I see yo= ur > >> point. We'll be setting CFLAGS in Fedora anyway (which I guess will be > >> true for Ubuntu, Gentoo, Debian, etc. too) and the pre-commit CI will > >> likely have _FORTIFY_SOURCE disabled so we may have adequate coverage. > > > > I prefer a configure option, mirroring --enable-stack-protector. Since > > glibc has very strict requirements wrt compiler flags it needs to handle > > it specially anyway, and making it explicit is cleaner. > > > > Fair enough, I am aiming to simplify the configure options and thus the > build permutation that arise for multiple option; but I see that following > current practice should be ok. > > That would mean for me to do the following on this patch: - if "--enable-fortify-source" is set, set -D_FORTIFY_SOURCE accordingly (already done). - if "--enable-fortify-source" is NOT set (i.e. assume "--disable-fortify-source"), forcibly undefine _FORTIFY_SOURCE (currently not done). Do you all agree with that ? Fred. --000000000000e0b94705ffa89834--