From owner-freebsd-ports@FreeBSD.ORG Thu Sep 18 14:28:55 2014 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8A45090D; Thu, 18 Sep 2014 14:28:55 +0000 (UTC) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.81]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 49DB6CCB; Thu, 18 Sep 2014 14:28:55 +0000 (UTC) Received: from smtp.greenhost.nl ([213.108.104.138]) by smarthost1.greenhost.nl with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1XUcSH-0005pv-ND; Thu, 18 Sep 2014 16:13:06 +0200 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: "Ports FreeBSD" , "Bryan Drewery" Subject: Re: [CFT] SSP Package Repository available References: <523D79CD.2090302@FreeBSD.org> <53F4CE0E.8040106@FreeBSD.org> <53F6167D.2030303@FreeBSD.org> Date: Thu, 18 Sep 2014 16:13:02 +0200 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Ronald Klop" Message-ID: In-Reply-To: <53F6167D.2030303@FreeBSD.org> User-Agent: Opera Mail/12.17 (Win32) X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.samage.net X-Spam-Level: - X-Spam-Score: -1.0 X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, BAYES_20 autolearn=disabled version=3.3.1 X-Scan-Signature: 6c56b5a68734eff3bb82063186e8a5cf X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2014 14:28:55 -0000 On Thu, 21 Aug 2014 17:55:41 +0200, Bryan Drewery wrote: > On 8/21/2014 6:56 AM, Ronald Klop wrote: >> On Wed, 20 Aug 2014 18:34:22 +0200, Bryan Drewery >> wrote: >> >>> On 9/21/2013 5:49 AM, Bryan Drewery wrote: >>>> Ports now support enabling Stack Protector [1] support on FreeBSD 10 >>>> i386 and amd64, and older releases on amd64 only currently. >>>> >>>> Support may be added for earlier i386 releases once all ports properly >>>> respect LDFLAGS. >>>> >>>> To enable, just add WITH_SSP=yes to your make.conf and rebuild all >>>> ports. >>>> >>>> The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all >>>> may optionally be set instead. >>>> >>>> Please help test this on your system. We would like to eventually >>>> enable >>>> this by default, but need to identify any major ports that have >>>> run-time >>>> issues due to it. >>>> >>>> [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection >>>> >>> >>> We have not had any feedback on this yet and want to get it enabled by >>> default for ports and packages. >>> >>> We now have a repository that you can use rather than the default to >>> help test. We need your help to identify any issues before switching >>> the >>> default. >>> >>> This repository is available for: >>> >>> head >>> 10.0 >>> 9.1,9.2,9.3 >>> >>> It is not available for 8.4. If someone is willing to test on 8.4 I >>> will >>> build a repository for it. >>> >>> Place this in /usr/local/etc/pkgs/repos/FreeBSD_ssp.conf: >>> >>> FreeBSD: { enabled: no } >>> FreeBSD_ssp: { >>> url: "pkg+http://pkg.FreeBSD.org/${ABI}/ssp", >>> mirror_type: "srv", >>> signature_type: "fingerprints", >>> fingerprints: "/usr/share/keys/pkg", >>> enabled: yes >>> } >>> >>> Once that is done you should force reinstall packages from this >>> repository: >>> >>> pkg update >>> pkg upgrade -f >>> >>> Thanks for your help! >>> Bryan Drewery >>> On behalf of portmgr. >>> >> >> >> Hi, >> >> Is it necessary to upgrade all packages at once or can I just enable >> WITH_SSP and upgrade ports as they are updated in the ports tree? >> > > You can let them update on their own if you wish. Of course SSP won't be > in the binaries until they are rebuilt. > Hi, As you wanted feedback. I run with WITH_SSP_PORTS=yes in /etc/make.conf for about a month now on a desktop machine. A lot of ports have recompiled in the meantime. Things like Firefox, icewm, urxvt, virtualbox. No problem so far. Cheers, Ronald.