Re: Hardened toolchain

[kiasoc5]

Yes it would be easier to add the hardening flags to gcc directly, I just 
wasn't sure whether the maintainers would be open to the idea.

Since the default gcc toolchain version is still on gcc 10, the hardening flags 
could be added to gcc 11. Then the upgrade from gcc toolchain 10 to 11 can 
benefit from the hardening flags, and "only" 1 world rebuild is needed.

Mar 28, 2022, 03:17 by maxim.cournoyer@gmail.com:

> Hi,
>
> Maxime Devos <maximedevos@telenet.be> writes:
>
>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]:
>>
>>> > * gcc can be compiled with `--enable-default-ssp --enable-default-
>>> > pie`
>>> > to enforce ssp and pic
>>>
>>> You wrote [1]:
>>>
>>> --8<---------------cut here---------------start------------->8---
>>> (define-public gcc
>>>   (package
>>>     (inherit gcc)
>>>     (arguments
>>>      (substitute-keyword-arguments (package-arguments gcc)
>>>      ((#:configure-flags flags
>>>        `(append (list "--enable-default-ssp" "--enable-default-pie")
>>>             ,flags)))))))
>>> --8<---------------cut here---------------end--------------->8---
>>>
>>
>> I think it would be a lot simpler to just add this to the 'standard'
>> gcc configure flags, in (gnu packages gcc), given that probably the
>> idea is to do this hardening for all packages?  Needs a world-rebuild
>> though.
>>
>
> +1.  The whole distribution can probably benefit from this hardening.
>
> Maxim
>