--- wikisrc/pkgsrc/hardening.mdwn 2019/01/06 18:09:25 1.46 +++ wikisrc/pkgsrc/hardening.mdwn 2021/04/06 10:36:45 1.47 @@ -29,10 +29,12 @@ This allows substitute wrappers to be us library functions that do not have built-in bounds checking - but could in some cases. -**TODO**: Explain FORTIFY_SOURCE 1 vs 2, and which is used. Give a link -to a good explanation of the technique. Explain if this is gcc specific. +Two mitigation levels are available: -It has been enabled by default since pkgsrc-2017Q3. +- "weak" only enables checks at compile-time. +- "strong" enables checks at compile-time and runtime. + +`strong` has been enabled by default since pkgsrc-2017Q3. ### PKGSRC_USE_SSP @@ -211,14 +213,8 @@ drivers. Partial RELRO can be applied in ### Packages failing to build The stack-smashing protection provided by this option does not work for some -programs. The two most common situations in which this happens are: - -* the program makes use of the `alloca(3)` library call (memory allocator on the - stack) (**TODO**: at least regarding build failure, this was a problem only - with older gcc version and probably do not apply in most common pkgsrc setup - (i.e. no PR/mails about that seen in the last years about that.)) -* the program allocates variables on the stack, with the size determined at - run-time. +programs. The most common situation in which this happens is when the program +allocates variables on the stack, with the size determined at run-time. Both cases will require a modification to the program, or disabling this feature by adding in the package `Makefile`: