From owner-freebsd-ports@FreeBSD.ORG Sun May 30 02:19:11 2010 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00EE0106566B for ; Sun, 30 May 2010 02:19:11 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1]) by mx1.freebsd.org (Postfix) with ESMTP id 943418FC16 for ; Sun, 30 May 2010 02:19:10 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1]) by tiktik.epipe.com (8.14.3/8.14.3) with ESMTP id o4U2JAKG020740 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Sun, 30 May 2010 02:19:10 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com o4U2JAKG020740 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1275185950; x=1275790750; bh=IPWUBR/q/ZBXicAIM69+ZAwBT+2C4+ti/2LbkSQZgt0=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type; b=mEuoFBORCcI3FTmcBPqjV8y7BI1/200QbZWnGoN9j0M3MO4ycVfMHwWz11kaI47Uf J57LMe2+NnLcok53D1NkitHaGHgpEflCEPhqi0lAFsKnuIAb1svxBd6iI06VPpRg6G OWL2b8WP/OKqTUnQu+VxGD+Mn/ebQAfr2FUGHp6E= Date: Sun, 30 May 2010 02:19:04 +0000 (UTC) From: Janne Snabb To: freebsd-ports@freebsd.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.2.5 (tiktik.epipe.com [IPv6:2001:470:8940:10::1]); Sun, 30 May 2010 02:19:10 +0000 (UTC) Subject: Building ports with stack-protector X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 May 2010 02:19:11 -0000 Hi, Big thanks to the folks who made "make buildworld" to use -fstack-protector by default since 8.0. This should make FreeBSD more secure. How about the ports system? I tried to re-build all my ports some time ago with the stack-protector enabled by adding -fstack-protector in CFLAGS in /etc/make.conf. Most ports build & work fine with this enabled, but there are several exceptions. Some libraries cannot be compiled with this (either the build fails or linking other programs which use the library later fail). Also some programs that do strange things fail to build or run. IMHO it would make sense to make some sort of framework in the ports system to support this. I think there should be a port Makefile knob which tells if the port can be built with the stack-protector or not. Now it is difficult to determine on port-by-port basis if it can be enabled or not. Is there any work or plans to accomplish this? It would be great to compile at least all the network facing server programs with this enabled. I have an impression that more than 90% of programs can be compiled with the stack-protector. For libraries the percentage might be less. What do you think? Best Regards, -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/