Bug 978763

Summary: switch from "-fstack-protector" to "-fstack-protector-strong" in rawhide (in time for Fedora 20)
Product: [Fedora] Fedora Reporter: Dhiru Kholia <dkholia>
Component: redhat-rpm-configAssignee: Panu Matilainen <pmatilai>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bressers, jonathan, kevin, pmatilai, robatino, sgallagh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-04 07:37:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 980649    
Attachments:
Description Flags
Fix #978763 none

Description Dhiru Kholia 2013-06-27 06:42:31 UTC 
FESCo Ticket: https://fedorahosted.org/fesco/ticket/1128

Status: APPROVED

Summary,

The new compiler flag "-fstack-protector-strong" in Fedora 19's gcc achieves a better balance between security and performance (when compared against the default -fstack-protector and available -fstack-protector-all options).

I am proposing to switch from using the "-fstack-protector" flag to "-fstack-protector-strong" in Fedora 20. The switch involves changing a single line in /usr/lib/rpm/redhat/macros file.
Comment 1 Dhiru Kholia 2013-06-27 08:46:09 UTC 
Created attachment 766017 [details]
Fix #978763
Comment 2 Dhiru Kholia 2013-06-27 08:47:18 UTC 
Patch for fixing this bug is attached.

In case of problems, please see https://bitbucket.org/dhiru/redhat-rpm-config/commits/all
Comment 3 Dhiru Kholia 2013-06-28 12:15:58 UTC 
Hi Panu,

Does the attached patch works for you?

Can we fix this bug ASAP (in order to catch potential problems early on) ?
Comment 4 Stephen Gallagher 2013-07-03 19:27:14 UTC 
Panu, please review and incorporate (or help correct it if it needs work).

At the FESCo meeting on 2013-07-03 we decided that this change needs to be made before the F20 mass-rebuilds take place. Thus nominating it for an F20Alpha blocker.
Comment 5 Panu Matilainen 2013-07-04 07:06:51 UTC 
I was on vacation for a couple of days and this ends all the way up to FESCo?

I dont see how a s/fno-stack-protector/fno-stack-protector-strong/ operation would need a whole lot of "review" from me, especially considering the whole hardening stuff was added by someone else to begin with (but thats beside the point here)

So yeah yeah, I'll drop it in soonish.
Comment 6 Panu Matilainen 2013-07-04 07:20:25 UTC 
Oh, this wasn't linked to the hardening stuff at all, my mistake.

And apparently it does need a bit of review afterall: there's no such option as "-fno-stack-protector-strong" which the patch introduces for aarch64.
Comment 7 Panu Matilainen 2013-07-04 07:37:00 UTC 
Changed in redhat-rpm-config-9.1.0-47.fc20
Comment 8 Dhiru Kholia 2013-07-04 08:19:21 UTC 
Thanks Panu!

It would be great if we could get rid of those "whitespace errors" (from the SPEC file) in a future update.
Comment 9 Panu Matilainen 2013-07-04 08:25:10 UTC 
Um, what whitespace errors?
Comment 10 Dhiru Kholia 2013-07-04 09:24:39 UTC 
whitespace errors ==> some empty lines have stray spaces / tabs in them.

Turn on colours in the git configuration and see the output of "git log -p".