From owner-freebsd-ports@FreeBSD.ORG Wed Aug 20 18:10:31 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E827C70D for ; Wed, 20 Aug 2014 18:10:31 +0000 (UTC) Received: from mail.egr.msu.edu (gribble.egr.msu.edu [35.9.37.169]) by mx1.freebsd.org (Postfix) with ESMTP id BEB1F3380 for ; Wed, 20 Aug 2014 18:10:30 +0000 (UTC) Received: from gribble (localhost [127.0.0.1]) by mail.egr.msu.edu (Postfix) with ESMTP id 825E826BC1 for ; Wed, 20 Aug 2014 14:10:24 -0400 (EDT) X-Virus-Scanned: amavisd-new at egr.msu.edu Received: from mail.egr.msu.edu ([127.0.0.1]) by gribble (gribble.egr.msu.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EtOVpD-7rm9E for ; Wed, 20 Aug 2014 14:10:24 -0400 (EDT) Received: from EGR authenticated sender Message-ID: <53F4E490.3000907@egr.msu.edu> Date: Wed, 20 Aug 2014 14:10:24 -0400 From: Adam McDougall User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: freebsd-ports@freebsd.org Subject: Re: [CFT] SSP Package Repository available References: <523D79CD.2090302@FreeBSD.org> <53F4CE0E.8040106@FreeBSD.org> <34632ff93c04551e334a659512a728a9@mailbox.ijs.si> In-Reply-To: <34632ff93c04551e334a659512a728a9@mailbox.ijs.si> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Aug 2014 18:10:32 -0000 On 08/20/2014 13:20, Mark Martinec wrote: > 2014-08-20 18:34 Bryan Drewery wrote: >> On 9/21/2013 5:49 AM, Bryan Drewery wrote: >>> Ports now support enabling Stack Protector [1] support on FreeBSD 10 >>> i386 and amd64, and older releases on amd64 only currently. >>> >>> Support may be added for earlier i386 releases once all ports properly >>> respect LDFLAGS. >>> >>> To enable, just add WITH_SSP=yes to your make.conf and rebuild all >>> ports. >>> >>> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all >>> may optionally be set instead. >>> >>> Please help test this on your system. We would like to eventually enable >>> this by default, but need to identify any major ports that have run-time >>> issues due to it. >>> >>> [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection >>> >> >> We have not had any feedback on this yet and want to get it enabled by >> default for ports and packages. >> >> We now have a repository that you can use rather than the default to >> help test. We need your help to identify any issues before switching the >> default. >> >> This repository is available for: >> >> head >> 10.0 >> 9.1,9.2,9.3 >> >> It is not available for 8.4. If someone is willing to test on 8.4 I will >> build a repository for it. >> >> Place this in /usr/local/etc/pkgs/repos/FreeBSD_ssp.conf: >> >> FreeBSD: { enabled: no } >> FreeBSD_ssp: { >> url: "pkg+http://pkg.FreeBSD.org/${ABI}/ssp", >> mirror_type: "srv", >> signature_type: "fingerprints", >> fingerprints: "/usr/share/keys/pkg", >> enabled: yes >> } >> >> Once that is done you should force reinstall packages from this >> repository: >> >> pkg update >> pkg upgrade -f >> >> Thanks for your help! >> Bryan Drewery >> On behalf of portmgr. > > I'm building about 2000 ports for our 10.0 servers and workstations using > poudriere since the 10.0 release, using WITH_SSP_PORTS=yes in poudriere's > make.conf. I suppose the WITH_SSP_PORTS=yes is equivalent to WITH_SSP=yes > but limited to ports (not sure where I got this setting, must have been > some announcement). > > So far I haven't come across any ill effects that I could attribute to SSP. > > Mark I concur with Mark, with my 1400+ packages for workstations and servers, I have had zero issues. This seems like a pretty safe change. I just confirmed -fstack-protector is in my build logs although less frequently than I assumed for ports such as zenity, meld, pidgin (once or twice each). Other ports such as vlc mention it 2029 times. Not sure if the low counts are expected.