robert at linuxfromscratch.org
Mon Jun 26 21:10:54 PDT 2006
I've had trouble finding documentation for -D_FORTIFY_SOURCE... its not in the
gcc man page. But I did find this:
which gives a pretty good description. -D_FORTIFY_SOURCE=2 is by-far the most
popular choice. -D_FORTIFY_SOURCE=3 looks like a debugging feature, and
-D_FORTIFY_SOURCE=4 looks like a way to disable FORTIFY_SOURCE while still
defining it. -D_FORTIFY_SOURCE=1 I'm not so clear on.
As an effort at code auditing, I'd like to strive to use "-Wall -Werror" too.
This will require patching to most packages to get their code up to date with
gcc-4.1. "-Wformat=2 -Werror" (this includes -Wformat -Wformat-nonliteral
-Wformat-security -Wformat-y2k) is another idea too. For those of us who
don't know what vulnerable code looks like, using these options could help.
After looking at the clfs book, and testing, it looks like we can drop the
installation of libc-headers from chapter 5. The adjusting toolchain in
chapter 5 can probably go too, only the test needs to be done and that can be
done in the libc page.
More information about the hlfs-dev