additional compiler hardening flags
Corinna Vinschen
vinschen at redhat.com
Thu Apr 18 22:19:13 EST 2013
On Apr 18 21:44, Darren Tucker wrote:
> On Thu, Apr 18, 2013 at 08:13:26PM +1000, Darren Tucker wrote:
> > On Thu, Apr 18, 2013 at 11:29:55AM +0200, Corinna Vinschen wrote:
> > > Sounds good to me, but wouldn't it be simpler to add -Werror by default
> > > in OSSH_CHECK_CFLAG_COMPILE and OSSH_CHECK_CFLAG_LINK?
> >
> > I considered that, but I was concerned it may mis-detect some of the other
> > options for compilers that aren't gcc, but identify themselves as such
> > enough that configure thinks they are and sets $GCC (eg clang, intelcc).
> > I guess we could check for -Werror too before using it.
>
> Like so.
Looks good. Here's what I get on Cygwin:
checking if gcc supports -Werror... yes
checking if gcc supports -Wall... yes
checking if gcc supports -Wpointer-arith... yes
checking if gcc supports -Wuninitialized... yes
checking if gcc supports -Wsign-compare... yes
checking if gcc supports -Wformat-security... yes
checking if gcc supports -Wpointer-sign... yes
checking if gcc supports -Wunused-result... yes
checking if gcc supports -fno-strict-aliasing... yes
checking if gcc supports -D_FORTIFY_SOURCE=2... yes
checking if gcc supports -ftrapv... yes
checking if gcc supports -fPIE... no
checking if gcc supports -pie... yes
checking if gcc supports -Wl,-z,relro... no
checking if gcc supports -Wl,-z,now... no
checking if gcc supports -Wl,-z,noexecstack... no
Note the "no" for -fPIE :)
Thanks,
Corinna
--
Corinna Vinschen
Cygwin Maintainer
Red Hat
More information about the openssh-unix-dev
mailing list