FS#52109 - [hardening-wrapper] Is this package still useful ?
Attached to Project:
Community Packages
Opened by Jean (rfnx) - Sunday, 11 December 2016, 05:09 GMT
Last edited by Daniel Micay (thestinger) - Monday, 19 December 2016, 13:58 GMT
Opened by Jean (rfnx) - Sunday, 11 December 2016, 05:09 GMT
Last edited by Daniel Micay (thestinger) - Monday, 19 December 2016, 13:58 GMT
|
Details
Description:
Recently, I had a very annoying bug caused by hardening-wrapper and I spent several hours to find why I couldn't compile the package influxdb from the AUR : influxdb build process stops with an error if your kernel was compiled with hardening-wrapper installed. The weird detail is that hardening-wrapper can be installed when compiling influxdb, but not during the kernel compilation ! So, after the incident I looked at the source of hardening-wrapper on https://github.com/thestinger/hardening-wrapper and now my questions are : Is hardening-wrapper still useful ? I am wondering because: - the default values used nowadays in /etc/makepkg.conf for CPPFLAGS, CFLAGS and CXXFLAGS are close to the default values in /etc/hardening-wrapper.conf. - hardening-wrapper is not required by many packages Is it safe to remove hardening-wrapper, even if I have to compile nginx ? Also, if I put all variables to zero in /etc/hardening-wrapper.conf, it is exactly the same as uninstalling the package ? I don't fully understand the source code so I am not sure. I don't want to remove the default flags given by /etc/makepkg.conf. I really don't want to have another hard-to-find bug during compilation, or worse, when programs are running... Of course, thanks for your work on Archlinux.org ! Regards Additional info: * package version(s) : 10-1 * default config |
This task depends upon
Closed by Daniel Micay (thestinger)
Monday, 19 December 2016, 13:58 GMT
Reason for closing: None
Additional comments about closing: The hardening-wrapper package exists to enable PIE which cannot simply be done with CFLAGS/LDFLAGS and to deal with packages ignoring CFLAGS/LDFLAGS. It still useful, although it will become less useful once --enable-default-pie is implemented for Arch's GCC.
Monday, 19 December 2016, 13:58 GMT
Reason for closing: None
Additional comments about closing: The hardening-wrapper package exists to enable PIE which cannot simply be done with CFLAGS/LDFLAGS and to deal with packages ignoring CFLAGS/LDFLAGS. It still useful, although it will become less useful once --enable-default-pie is implemented for Arch's GCC.