On Sun, Sep 8, 2013 at 8:06 PM, Ryan Hill <[email protected]> wrote: > You will be expected to fix them, and `append-flags > -fno-stack-protector` is not an acceptable fix. You can't champion for more > secure defaults and then just disable them when they get in your way.
Why not? Surely a system where 99.9% of the packages installed are hardened is more secure than a system where 0% of the packages installed are hardened. > So does anyone have any objections to making -fstack-protector the default? > Now is the time to speak up. So, in this world of all-or-nothing we want people who realize that 100% protection might not be possible to raise an objection so that we end up with 0% protection instead? Why not just do the sensible thing (IMHO) and make it a default, and then if it doesn't work for an individual package deal with it on an individual basis? We already encourage maintainers to try to get custom CFLAGS to work when practical, but when not practical we filter them. I don't see stack protection as any different. If there is a fix, then fix it, and if not, then disable it. I don't see a lack of stack-protection as a reason to keep something out of the tree. Rich
