Enable gcc's -fstack-protector-all by default?
Rick Jones
rick.jones2 at hp.com
Tue Nov 27 08:15:48 EST 2007
Darren Tucker wrote:
> Rick Jones wrote:
>
>> Darren Tucker wrote:
>
> [...]
>
>>> Can anyone think of a good reason not to enable it if the compiler
>>> supports it? A quick test here shows minimal difference in runtime over
>>> a full regress pass (~10sec over 8.5 minutes, and since the machine is
>>> not entirely idle that could be experimental error).
>>
>>
>> Is this stack protection architecture neutral?
>
>
> I'm not sure but I suspect that it is given that HPPA was (last time I
> looked) one of the main development platforms for gcc and that the
> documentation doesn't say anything about it being platforms specific.
> That said I haven't actually tried it on a stack-grows-up architecture
> like HPPA (and can't at the moment).
I had IA64 at the back of my mind more than HPPA :)
Just general conservativeness would seem to suggest that until a broader
number of platforms can be covered, it might not be time to become the
default.
>
> WRT to the cookie entropy source, it uses a /dev/urandom if you have it,
> but failing that it will fall back to a static cookie, so it's weaker
> but not quite worthless if you don't have kernel random support.
>
More information about the openssh-unix-dev
mailing list