summaryrefslogtreecommitdiff
path: root/metadata/news
diff options
context:
space:
mode:
Diffstat (limited to 'metadata/news')
-rw-r--r--metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt59
-rw-r--r--metadata/news/Manifest30
-rw-r--r--metadata/news/Manifest.files.gzbin14772 -> 14965 bytes
-rw-r--r--metadata/news/timestamp.chk2
-rw-r--r--metadata/news/timestamp.commit2
5 files changed, 76 insertions, 17 deletions
diff --git a/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt
new file mode 100644
index 000000000000..f0aab216a04f
--- /dev/null
+++ b/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt
@@ -0,0 +1,59 @@
+Title: Hardened profiles improvements
+Author: Sam James <sam@gentoo.org>
+Posted: 2023-01-01
+Revision: 2
+News-Item-Format: 2.0
+Display-If-Installed: sys-devel/gcc[hardened]
+Display-If-Profile: features/hardened
+Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened
+Display-If-Profile: default/linux/ppc/17.0/musl/hardened
+Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened
+Display-If-Profile: default/linux/amd64/17.0/hardened
+Display-If-Profile: default/linux/amd64/17.0/musl/hardened
+Display-If-Profile: default/linux/amd64/17.1/hardened
+Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened
+Display-If-Profile: default/linux/x86/17.0/hardened
+Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened
+Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened
+Display-If-Profile: default/linux/arm/17.0/armv7a/hardened
+Display-If-Profile: default/linux/arm/17.0/armv6j/hardened
+Display-If-Profile: default/linux/ppc64/17.0/musl/hardened
+Display-If-Profile: default/linux/arm64/17.0/hardened
+Display-If-Profile: default/linux/arm64/17.0/musl/hardened
+
+Gentoo's hardened profiles are adopting two new modern toolchain hardening
+techniques:
+1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0]
+2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1]
+
+These will both be enabled by default with USE=hardened on sys-devel/gcc
+for >=sys-devel/gcc-12.2.1_p20221231.
+
+To view the existing list of hardening changes applied by the profiles,
+see the wiki [2].
+
+Stable users may wish to add sys-devel/gcc-12.2.1_p20221231 into
+/etc/portage/package.accept_keywords if they wish to take advantage
+of these improvements early, before GCC 12 is marked stable.
+
+## Migration
+
+To fully take advantage of these new settings, GCC must first
+be upgraded, and then all packages must be re-emerged:
+1. # emerge --sync
+2. # emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221231"
+3. # gcc-config latest
+4. # emerge --verbose --emptytree @world
+
+## Troubleshooting
+
+In the event that some packages fail at runtime, please file a bug
+with the full details. To temporarily workaround the problem,
+it should be possible to recompile broken packages with the
+following *FLAGS:
+CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS"
+
+[0] https://bugs.gentoo.org/876893
+[1] https://bugs.gentoo.org/876895
+[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes
diff --git a/metadata/news/Manifest b/metadata/news/Manifest
index a82e0f27f3c0..e343fc6db83d 100644
--- a/metadata/news/Manifest
+++ b/metadata/news/Manifest
@@ -1,23 +1,23 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
-MANIFEST Manifest.files.gz 14772 BLAKE2B c0ec43cf49df478cb5e350d1531aac9276432611988c7c802f82a19b2bd8015b2549c008676c973d5df46854083de41f73054765216654ba4bed37764d4a75a6 SHA512 e3e6cd7d6c0e6d8e35843328b38fd08e2693bc1ed83efb7e6b4ccd8b373e42dd390050e12471c82dcd3bf19fe6af8c3cf76d04659d93e15bf3785bb8aa0f4bd8
-TIMESTAMP 2023-01-01T19:39:56Z
+MANIFEST Manifest.files.gz 14965 BLAKE2B 0511d9d714cebde2326e23abfa24bba7318694b5216c96f343d6d94416db2ba397ccc9f0f63ea9c7707aa0414d66e329fb1669bedb5e961cf73b188b04dac363 SHA512 bc41483b3882eeb50bbf35dc4b007fdb5080fc09c4d64d83706e8c2e509eccc05aa28c839c8c30c89e9b3fbc6832e099264b3f3b6e0b76887f0b37a1f8a14e1d
+TIMESTAMP 2023-01-02T01:39:54Z
-----BEGIN PGP SIGNATURE-----
-iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmOx4YxfFIAAAAAALgAo
+iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmOyNetfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx
RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY
-klCMzBAAj4hY3jqZ3DGMRNPdbZnLsE2Ud0IEGzF5Ok/tbEy5YVYkpwuc1yb4ZKIT
-Qkxw1kn+9qJaUiaXiC26FLCC4zftd0Rvac2IxOF34feY1t4xyNC1OPazfFrPWJ+1
-igz4OFHbUO7G8VYd0cwy4v25RDR/PvVUgBwcc0W51Wv7AeY6qFil3He8xYgtVGV9
-Lp52bvV2VMvSV7vkH7hb4mXrH0A/24B3lU/e5279uw3x/U/6aYxK1Hsh9cbEv+bM
-kEZEgR8g8UxP5SQ63U5XsNoE8XQjMeP0KujSGls7juzh2tJE+38EDTl9RKM5NYZb
-Qp5LpuEPjY57aQMpMaVAGOHRvAq+OE8ZFtTmaHMsYEI55WzMHX4pkkqfqoYyz7Hl
-pLmQNo1kf9GkUFtms79x4hrpoI3Fp/yGE+/XrrEN9RvHTjb4h78U+0T8MBEy4/l/
-iF6Au93OybErljmJKB2zeryux24GPn3y6qq2myG0fa9Varug4eR92Z9xlSsWKiFU
-j6OL/HSPTAPEwbNVlPeuODHSLFR25W3HhEd8HaotwjJCpNPuHf2vOI0NBxA1Gqx4
-2Iw09Q/dIbz38pRRCYNGGAphnhEf6zA82+knOwO7c2tuyrVTC8GcAlep6c2sPtbr
-w0dBT4t+za+qsi+TDt51WNKYTTTyADHmD07uQwl4VVIG7ncS330=
-=qvjB
+klAWlg//fmjuoNklX+hnTVILJOs/1jPH1d5DyTsFySh4YiMaavPXbpw+cRNWPtZC
+doq7Op1vkWTzpPL/yzcD817vPJstoksWLCOOoeKPr7tfMAZJSUlhM43d5pfJVI+6
+oVDjeZQj5cqTr118arIXbDf5SjA7X0PtCre5ZIppts+sCf3UL8ye3ZMVd0sbtUBl
+l5gKVXWM+zQLtV2jttsbpxtfwJZd0Cb8nFCuJE5g5xVbPI6HXH4swHP9VnNk2U1q
+eSgp1bI2bRIVA+rf8MYTAs5vRBBohtWGR+YVH1CChWwO5io0DwNlSD8vtqybZu6f
+N1zHxl7FdmfjjFed6WJlmo8irDO/yruXiVVxjH8o1WbxZhskHbzrpyu+sypnXwRs
+/zYD56SedAgSCZnwmPcXNDpkc6D8/1dcVd9vfkvTqg4wl1vLIC/RdYquRDKR15A3
+MvxxkluRvyQFoaZjYDoc2Rb9MOmVZrUaScpj4FajQQ/uFgkZ9HqBUgbKvGVOI1wm
+XAt1WokxRvRjw7Y4wh1igCcR3/Zdooav4lHdpMq4BdiOSHuh06EM9i8KzgHzlDIX
+8fPY63YnFeb8aNyn47dUMLGMYgrVP0yvnBsnHRSkonZBHYNwPq7F0ZtRJaW7R/R5
+gR3V0sV/XRO4uQoNKTYh6oTczKPupNWOKZ0K4e7QHvB81EumnN8=
+=HcrN
-----END PGP SIGNATURE-----
diff --git a/metadata/news/Manifest.files.gz b/metadata/news/Manifest.files.gz
index 7bcb0962ddf9..56b30d6fbe8f 100644
--- a/metadata/news/Manifest.files.gz
+++ b/metadata/news/Manifest.files.gz
Binary files differ
diff --git a/metadata/news/timestamp.chk b/metadata/news/timestamp.chk
index 49e9ef005049..67a64a6cd9b6 100644
--- a/metadata/news/timestamp.chk
+++ b/metadata/news/timestamp.chk
@@ -1 +1 @@
-Sun, 01 Jan 2023 19:39:53 +0000
+Mon, 02 Jan 2023 01:39:52 +0000
diff --git a/metadata/news/timestamp.commit b/metadata/news/timestamp.commit
index b523ddedf949..e2e96924977f 100644
--- a/metadata/news/timestamp.commit
+++ b/metadata/news/timestamp.commit
@@ -1 +1 @@
-577cef52c20b850057e0ab863cc7b38b14e6e6c2 1672382891 2022-12-30T06:48:11+00:00
+6b8c798b7b8b2b2ea9cb833842c733c494ad0df2 1672611025 2023-01-01T22:10:25+00:00
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-05 00:09:18 +0000