Enable gcc's -fstack-protector-all by default?

Rick Jones rick.jones2 at hp.com
Tue Nov 27 08:15:48 EST 2007

Darren Tucker wrote:
> Rick Jones wrote:
>> Darren Tucker wrote:
> [...]
>>> Can anyone think of a good reason not to enable it if the compiler
>>> supports it?  A quick test here shows minimal difference in runtime over
>>> a full regress pass (~10sec over 8.5 minutes, and since the machine is
>>> not entirely idle that could be experimental error).
>> Is this stack protection architecture neutral?
> I'm not sure but I suspect that it is given that HPPA was (last time I 
> looked) one of the main development platforms for gcc and that the 
> documentation doesn't say anything about it being platforms specific. 
> That said I haven't actually tried it on a stack-grows-up architecture 
> like HPPA (and can't at the moment).

I had IA64 at the back of my mind more than HPPA :)

Just general conservativeness would seem to suggest that until a broader 
number of platforms can be covered, it might not be time to become the 

> WRT to the cookie entropy source, it uses a /dev/urandom if you have it, 
> but failing that it will fall back to a static cookie, so it's weaker 
> but not quite worthless if you don't have kernel random support.

More information about the openssh-unix-dev mailing list