Neal Goompa and I spoke about this concern during the Ubuntu Summit. He would like to see tunables added to fhardened. The thought is, with tunables folks are less likely to fully disable fhardened if they run into a failed build.
We spoke about using redundant flags in distros, e.g., so that we could set both fhardened and D_FORTIFY_SOURCE=3. I need to followup with GCC folks and Marek about this idea. See the parallel discussion on Red Hat with Neal: https://bugzilla.redhat.com/show_bug.cgi?id=2312869 > why would we want to do that? A rising tide lifts all boats. If major distros all enable fhardened, we guarantee that we are all using a minimal set of security flags. It shortens the lag it takes for distros to apply well vetted security practices. It centralizes the conversation between performance cost and security gain which each distro internally has currently. ** Bug watch added: Red Hat Bugzilla #2312869 https://bugzilla.redhat.com/show_bug.cgi?id=2312869 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2080267 Title: Please add -fhardened to default build flags To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gcc-14/+bug/2080267/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
