Announcement

**King InuYasha** · 12 March 2019, 07:43 AM

These GCC flags are already enabled by default in all package builds in Fedora. What this change is about is forcing these behaviors for regular developer usage of GCC too.

**Spooktra** · 12 March 2019, 08:30 AM

"In fact, the flags they are planning to use by default are already the defaults on Ubuntu."

And this is one more reason why Ubuntu continues to be the premiere Linux distribution, it is the distro that comes closest to "just works" without all the little "paper cuts" (I'm looking at you Manjaro) that make an otherwise great distro unusable,

**Alliancemd** · 12 March 2019, 08:33 AM

phoronix Instead of "-fstack-protector-string", you probably wanted to write "-fstack-protector-strong" - the same flag that Ubuntu builds all of its packages with.
Pretty sure that GCC and Clang don't have "-fstack-protector-string".

**Mystro256** · 12 March 2019, 08:34 AM

@King InuYasha
Indeed, I was confused by the article, as I have quite a few packages that I maintain in Fedora, which were affected by the move. That happened quite a while ago.

**birdie** · 12 March 2019, 09:03 AM

Yay, more performance losses!

**Britoid** · 12 March 2019, 09:31 AM

Originally posted by Spooktra View Post

"In fact, the flags they are planning to use by default are already the defaults on Ubuntu."

And this is one more reason why Ubuntu continues to be the premiere Linux distribution, it is the distro that comes closest to "just works" without all the little "paper cuts" (I'm looking at you Manjaro) that make an otherwise great distro unusable,

except with Flatpaks.

**birdie** · 12 March 2019, 10:13 AM

Originally posted by hreindl View Post

bullshit - https://fedoraproject.org/wiki/Chang...n_All_Packages

i wonder why people with no clue always have opinions backed by nothing

Exactly nothing on this page pertains to performance or performance loss. A nice link!

**mroche** · 12 March 2019, 11:20 AM

This is about patching GCC itself, so anytime it gets called these flags are used without the user having to specify anything, right?

It's already been mentioned, but for RPM packages (using %{__global_c[xx]flags} ) Fedora and Red hat have been specifying most of these flags for some time. Only -Wformat/-Wformat-security are explicitly missing from the current flags for RHEL 7 and Fedora 29-Rawhide (I didn't bother looking further back):

RHEL:

Code:

 [FONT=courier new][B]-O2[/B] -g -pipe -Wall -Wp,[B]-D_FORTIFY_SOURCE=2[/B] -fexceptions [B]-fstack-protector-strong[/B] --param=ssp-buffer-size=4 -grecord-gcc-switches[/FONT]

Fedora:

Code:

[B]-O2[/B] -g -pipe -Wall [I]-Werror=format-security[/I] -Wp,[B]-D_FORTIFY_SOURCE=2[/B] -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions [B]-fstack-protector-strong[/B] -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection

I think -Werror=format-security covers -Wformat-security by making the build outright fail.

**Weasel** · 12 March 2019, 12:30 PM

Originally posted by hreindl View Post

god damned look at the date, it's default for years for all packages, the change now is
only for the few fools doing "make install" instead build packages on their local machines

That's even worse. Enabling features by default so that you have to use -fno-stack-protector to generate sane code is disgusting.

Announcement

Fedora 31 Plans To Use GCC Security Hardening Flags By Default

Fedora 31 Plans To Use GCC Security Hardening Flags By Default

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment