diff options
Diffstat (limited to 'metadata/news')
-rw-r--r-- | metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt | 59 | ||||
-rw-r--r-- | metadata/news/Manifest | 30 | ||||
-rw-r--r-- | metadata/news/Manifest.files.gz | bin | 14772 -> 14965 bytes | |||
-rw-r--r-- | metadata/news/timestamp.chk | 2 | ||||
-rw-r--r-- | metadata/news/timestamp.commit | 2 |
5 files changed, 76 insertions, 17 deletions
diff --git a/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt new file mode 100644 index 000000000000..f0aab216a04f --- /dev/null +++ b/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt @@ -0,0 +1,59 @@ +Title: Hardened profiles improvements +Author: Sam James <sam@gentoo.org> +Posted: 2023-01-01 +Revision: 2 +News-Item-Format: 2.0 +Display-If-Installed: sys-devel/gcc[hardened] +Display-If-Profile: features/hardened +Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened +Display-If-Profile: default/linux/ppc/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened +Display-If-Profile: default/linux/amd64/17.0/hardened +Display-If-Profile: default/linux/amd64/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.1/hardened +Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened +Display-If-Profile: default/linux/x86/17.0/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened +Display-If-Profile: default/linux/arm/17.0/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/armv6j/hardened +Display-If-Profile: default/linux/ppc64/17.0/musl/hardened +Display-If-Profile: default/linux/arm64/17.0/hardened +Display-If-Profile: default/linux/arm64/17.0/musl/hardened + +Gentoo's hardened profiles are adopting two new modern toolchain hardening +techniques: +1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0] +2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1] + +These will both be enabled by default with USE=hardened on sys-devel/gcc +for >=sys-devel/gcc-12.2.1_p20221231. + +To view the existing list of hardening changes applied by the profiles, +see the wiki [2]. + +Stable users may wish to add sys-devel/gcc-12.2.1_p20221231 into +/etc/portage/package.accept_keywords if they wish to take advantage +of these improvements early, before GCC 12 is marked stable. + +## Migration + +To fully take advantage of these new settings, GCC must first +be upgraded, and then all packages must be re-emerged: +1. # emerge --sync +2. # emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221231" +3. # gcc-config latest +4. # emerge --verbose --emptytree @world + +## Troubleshooting + +In the event that some packages fail at runtime, please file a bug +with the full details. To temporarily workaround the problem, +it should be possible to recompile broken packages with the +following *FLAGS: +CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" +CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS" + +[0] https://bugs.gentoo.org/876893 +[1] https://bugs.gentoo.org/876895 +[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes diff --git a/metadata/news/Manifest b/metadata/news/Manifest index a82e0f27f3c0..e343fc6db83d 100644 --- a/metadata/news/Manifest +++ b/metadata/news/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 14772 BLAKE2B c0ec43cf49df478cb5e350d1531aac9276432611988c7c802f82a19b2bd8015b2549c008676c973d5df46854083de41f73054765216654ba4bed37764d4a75a6 SHA512 e3e6cd7d6c0e6d8e35843328b38fd08e2693bc1ed83efb7e6b4ccd8b373e42dd390050e12471c82dcd3bf19fe6af8c3cf76d04659d93e15bf3785bb8aa0f4bd8 -TIMESTAMP 2023-01-01T19:39:56Z +MANIFEST Manifest.files.gz 14965 BLAKE2B 0511d9d714cebde2326e23abfa24bba7318694b5216c96f343d6d94416db2ba397ccc9f0f63ea9c7707aa0414d66e329fb1669bedb5e961cf73b188b04dac363 SHA512 bc41483b3882eeb50bbf35dc4b007fdb5080fc09c4d64d83706e8c2e509eccc05aa28c839c8c30c89e9b3fbc6832e099264b3f3b6e0b76887f0b37a1f8a14e1d +TIMESTAMP 2023-01-02T01:39:54Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmOx4YxfFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAmOyNetfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klCMzBAAj4hY3jqZ3DGMRNPdbZnLsE2Ud0IEGzF5Ok/tbEy5YVYkpwuc1yb4ZKIT -Qkxw1kn+9qJaUiaXiC26FLCC4zftd0Rvac2IxOF34feY1t4xyNC1OPazfFrPWJ+1 -igz4OFHbUO7G8VYd0cwy4v25RDR/PvVUgBwcc0W51Wv7AeY6qFil3He8xYgtVGV9 -Lp52bvV2VMvSV7vkH7hb4mXrH0A/24B3lU/e5279uw3x/U/6aYxK1Hsh9cbEv+bM -kEZEgR8g8UxP5SQ63U5XsNoE8XQjMeP0KujSGls7juzh2tJE+38EDTl9RKM5NYZb -Qp5LpuEPjY57aQMpMaVAGOHRvAq+OE8ZFtTmaHMsYEI55WzMHX4pkkqfqoYyz7Hl -pLmQNo1kf9GkUFtms79x4hrpoI3Fp/yGE+/XrrEN9RvHTjb4h78U+0T8MBEy4/l/ -iF6Au93OybErljmJKB2zeryux24GPn3y6qq2myG0fa9Varug4eR92Z9xlSsWKiFU -j6OL/HSPTAPEwbNVlPeuODHSLFR25W3HhEd8HaotwjJCpNPuHf2vOI0NBxA1Gqx4 -2Iw09Q/dIbz38pRRCYNGGAphnhEf6zA82+knOwO7c2tuyrVTC8GcAlep6c2sPtbr -w0dBT4t+za+qsi+TDt51WNKYTTTyADHmD07uQwl4VVIG7ncS330= -=qvjB +klAWlg//fmjuoNklX+hnTVILJOs/1jPH1d5DyTsFySh4YiMaavPXbpw+cRNWPtZC +doq7Op1vkWTzpPL/yzcD817vPJstoksWLCOOoeKPr7tfMAZJSUlhM43d5pfJVI+6 +oVDjeZQj5cqTr118arIXbDf5SjA7X0PtCre5ZIppts+sCf3UL8ye3ZMVd0sbtUBl +l5gKVXWM+zQLtV2jttsbpxtfwJZd0Cb8nFCuJE5g5xVbPI6HXH4swHP9VnNk2U1q +eSgp1bI2bRIVA+rf8MYTAs5vRBBohtWGR+YVH1CChWwO5io0DwNlSD8vtqybZu6f +N1zHxl7FdmfjjFed6WJlmo8irDO/yruXiVVxjH8o1WbxZhskHbzrpyu+sypnXwRs +/zYD56SedAgSCZnwmPcXNDpkc6D8/1dcVd9vfkvTqg4wl1vLIC/RdYquRDKR15A3 +MvxxkluRvyQFoaZjYDoc2Rb9MOmVZrUaScpj4FajQQ/uFgkZ9HqBUgbKvGVOI1wm +XAt1WokxRvRjw7Y4wh1igCcR3/Zdooav4lHdpMq4BdiOSHuh06EM9i8KzgHzlDIX +8fPY63YnFeb8aNyn47dUMLGMYgrVP0yvnBsnHRSkonZBHYNwPq7F0ZtRJaW7R/R5 +gR3V0sV/XRO4uQoNKTYh6oTczKPupNWOKZ0K4e7QHvB81EumnN8= +=HcrN -----END PGP SIGNATURE----- diff --git a/metadata/news/Manifest.files.gz b/metadata/news/Manifest.files.gz Binary files differindex 7bcb0962ddf9..56b30d6fbe8f 100644 --- a/metadata/news/Manifest.files.gz +++ b/metadata/news/Manifest.files.gz diff --git a/metadata/news/timestamp.chk b/metadata/news/timestamp.chk index 49e9ef005049..67a64a6cd9b6 100644 --- a/metadata/news/timestamp.chk +++ b/metadata/news/timestamp.chk @@ -1 +1 @@ -Sun, 01 Jan 2023 19:39:53 +0000 +Mon, 02 Jan 2023 01:39:52 +0000 diff --git a/metadata/news/timestamp.commit b/metadata/news/timestamp.commit index b523ddedf949..e2e96924977f 100644 --- a/metadata/news/timestamp.commit +++ b/metadata/news/timestamp.commit @@ -1 +1 @@ -577cef52c20b850057e0ab863cc7b38b14e6e6c2 1672382891 2022-12-30T06:48:11+00:00 +6b8c798b7b8b2b2ea9cb833842c733c494ad0df2 1672611025 2023-01-01T22:10:25+00:00 |