summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2023-01-02 02:04:27 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2023-01-02 02:04:27 +0000
commit416d4dbee61824c5c34c4bc830c77f8f9d11aaf2 (patch)
tree2010f6fed252d28e248a40b312c37b0ed870b91c /metadata/news
parent2023-01-02 01:16:58 UTC (diff)
parent2023-01-01-hardening-fortify-assertions: add Display-If-Installed: sys-devel/... (diff)
downloadgentoo-416d4dbee61824c5c34c4bc830c77f8f9d11aaf2.tar.gz
gentoo-416d4dbee61824c5c34c4bc830c77f8f9d11aaf2.tar.bz2
gentoo-416d4dbee61824c5c34c4bc830c77f8f9d11aaf2.zip
Merge commit '6b8c798b7b8b2b2ea9cb833842c733c494ad0df2'
Diffstat (limited to 'metadata/news')
-rw-r--r--metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt59
1 files changed, 59 insertions, 0 deletions
diff --git a/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt
new file mode 100644
index 000000000000..f0aab216a04f
--- /dev/null
+++ b/metadata/news/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt
@@ -0,0 +1,59 @@
+Title: Hardened profiles improvements
+Author: Sam James <sam@gentoo.org>
+Posted: 2023-01-01
+Revision: 2
+News-Item-Format: 2.0
+Display-If-Installed: sys-devel/gcc[hardened]
+Display-If-Profile: features/hardened
+Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened
+Display-If-Profile: default/linux/ppc/17.0/musl/hardened
+Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened
+Display-If-Profile: default/linux/amd64/17.0/hardened
+Display-If-Profile: default/linux/amd64/17.0/musl/hardened
+Display-If-Profile: default/linux/amd64/17.1/hardened
+Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened
+Display-If-Profile: default/linux/x86/17.0/hardened
+Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened
+Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened
+Display-If-Profile: default/linux/arm/17.0/armv7a/hardened
+Display-If-Profile: default/linux/arm/17.0/armv6j/hardened
+Display-If-Profile: default/linux/ppc64/17.0/musl/hardened
+Display-If-Profile: default/linux/arm64/17.0/hardened
+Display-If-Profile: default/linux/arm64/17.0/musl/hardened
+
+Gentoo's hardened profiles are adopting two new modern toolchain hardening
+techniques:
+1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0]
+2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1]
+
+These will both be enabled by default with USE=hardened on sys-devel/gcc
+for >=sys-devel/gcc-12.2.1_p20221231.
+
+To view the existing list of hardening changes applied by the profiles,
+see the wiki [2].
+
+Stable users may wish to add sys-devel/gcc-12.2.1_p20221231 into
+/etc/portage/package.accept_keywords if they wish to take advantage
+of these improvements early, before GCC 12 is marked stable.
+
+## Migration
+
+To fully take advantage of these new settings, GCC must first
+be upgraded, and then all packages must be re-emerged:
+1. # emerge --sync
+2. # emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221231"
+3. # gcc-config latest
+4. # emerge --verbose --emptytree @world
+
+## Troubleshooting
+
+In the event that some packages fail at runtime, please file a bug
+with the full details. To temporarily workaround the problem,
+it should be possible to recompile broken packages with the
+following *FLAGS:
+CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2"
+CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS"
+
+[0] https://bugs.gentoo.org/876893
+[1] https://bugs.gentoo.org/876895
+[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes