Mailing List Archive: Gentoo: Hardened

gcc-4.3.4 stabilized for a hardened profile?

Index | Next | Previous | View Threaded

emailgrant at gmail

Oct 18, 2009, 8:42 AM

Post #1 of 12 (1710 views)
Permalink

gcc-4.3.4 stabilized for a hardened profile?

I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
hardened/linux/amd64/10.0) for a very long time. Now it looks like
gcc-4.3.4 has been stabilized for hardened profiles. Has anyone
tested it? This system is critical for me, so I've got to be careful.

- Grant

letharion at gmail

Oct 18, 2009, 8:51 AM

Post #2 of 12 (1665 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

I haven't seen any posts with problems.
I use x86 and haven't noticed any problems either, but I haven't used that
system much.
Check bugzilla.

Pasting the original announcement below.

2009/10/18 Grant <emailgrant [at] gmail>

> I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
> hardened/linux/amd64/10.0) for a very long time. Now it looks like
> gcc-4.3.4 has been stabilized for hardened profiles. Has anyone
> tested it? This system is critical for me, so I've got to be careful.
>
> - Grant
>
>
Hello Hardened users, this is just a quick heads up. GCC 4.3.4 will be
going
stable on hardened profiles shortly. Unlike Hardened GCC 3.4.6, this
version
lacks default SSP building. However, FORTIFY_SOURCE=2
and -fno-strict-overflow are now enabled by default. Other Hardenedcompiler
features (ex. default relro, bind now & pic/pie building) remain enabled -
no
change from 3.4.6.

It is regretable this must be done before GCC4 is SSP-by-default enabled.
However, more and more packages require the newer GCC. The stable GCC on
Hardened has been GCC 3.4.6 for a long time, but this has become an
untenable
situation. GCC4 SSP-by-default works and will be added in a later revision
-
some GCC4+SSP bugs in grub and glibc also remain to be fixed.

Please follow '2. General Upgrade Instructions' in the 'Gentoo GCC Upgrade
Guide' [1] when upgrading from GCC 3.4.x to GCC 4.3.x. The upgrade should
be
relatively smooth, but if you run into upgrade troubles seek help via this
mailing list, bugs.gentoo.org, or irc.freenode.net, #gentoo-hardened.

[1] http://www.gentoo.org/doc/en/gcc-upgrading.xml

lists at wildgooses

Oct 18, 2009, 9:18 AM

Post #3 of 12 (1657 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

michael at orlitzky

Oct 18, 2009, 11:45 AM

Post #4 of 12 (1662 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

Grant wrote:
> I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
> hardened/linux/amd64/10.0) for a very long time. Now it looks like
> gcc-4.3.4 has been stabilized for hardened profiles. Has anyone
> tested it? This system is critical for me, so I've got to be careful.
>
> - Grant
>

A lot of us have been testing the new GCC for a while now using the
hardened-development overlay. It's as stable as 3.4.x was in my experience.

About a year and a half ago, I reformatted a laptop and started from
scratch using gcc-4.x from the overlay, because what the hell. Many
issues from the gcc-3.x era actually cleared up with the new toolchain.
Once I convinced myself that things were working correctly, I began to
migrate "real" systems to the development GCC one at a time.

All of my personal machines are using gcc-4.x, and things work much
better on the desktop than they did with gcc-3.x. Many of our servers
have also been migrated: web, database, dns, mail, monitoring, firewall,
etc. all work fine. I have noticed absolutely no difference (either
positive or negative) on those machines.

In short, switching your default compiler with gcc-config isn't going to
change anything. Test any new packages/upgrades just as you would have
with gcc-3.x.

emailgrant at gmail

Oct 27, 2009, 11:53 AM

Post #5 of 12 (1603 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

>> I've been stuck on gcc-3.4.6 on my hardened profile system (currently:
>> hardened/linux/amd64/10.0) for a very long time. �Now it looks like
>> gcc-4.3.4 has been stabilized for hardened profiles. �Has anyone
>> tested it? �This system is critical for me, so I've got to be careful.
>>
>> - Grant
>>
>
> A lot of us have been testing the new GCC for a while now using the
> hardened-development overlay. It's as stable as 3.4.x was in my experience.
>
> About a year and a half ago, I reformatted a laptop and started from scratch
> using gcc-4.x from the overlay, because what the hell. Many issues from the
> gcc-3.x era actually cleared up with the new toolchain. Once I convinced
> myself that things were working correctly, I began to migrate "real" systems
> to the development GCC one at a time.
>
> All of my personal machines are using gcc-4.x, and things work much better
> on the desktop than they did with gcc-3.x. Many of our servers have also
> been migrated: web, database, dns, mail, monitoring, firewall, etc. all work
> fine. I have noticed absolutely no difference (either positive or negative)
> on those machines.
>
> In short, switching your default compiler with gcc-config isn't going to
> change anything. Test any new packages/upgrades just as you would have with
> gcc-3.x.

That's great. I'm up against a mysql upgrade that doesn't want to go
through without the new gcc, so I'm going for it now.

I have 4 desktops on a non-hardened profile and 1 server on a hardened
profile. I'd love to put the desktops on a hardened profile with this
new gcc. Can I switch from non-hardened to hardened?

- Grant

michael at orlitzky

Oct 27, 2009, 12:57 PM

Post #6 of 12 (1604 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

Grant wrote:
>
> That's great. I'm up against a mysql upgrade that doesn't want to go
> through without the new gcc, so I'm going for it now.
>
> I have 4 desktops on a non-hardened profile and 1 server on a hardened
> profile. I'd love to put the desktops on a hardened profile with this
> new gcc. Can I switch from non-hardened to hardened?
>
> - Grant
>

Yep. Just switch your profile to the hardened one, and emerge system
(the FAQ[1] claims only binutils, gcc, and virtual/libc are necessary).
Then, switch your compiler, and emerge -ve world to recompile everything
with the new GCC.

Note that I said there were *fewer* problems with gcc-4.x than there
were with gcc-3.x hardened. That doesn't mean there aren't problems
using hardened for a desktop machine. A few packages, e.g.

* Non-free video drivers
* Wine
* Mplayer
* OpenOffice

usually fail unless you switch to vanilla GCC temporarily. Although, now
that gcc-4.x is stable, we can probably file these as bugs and get them
fixed.

[1] http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml

franxisco1988 at gmail

Oct 27, 2009, 1:55 PM

Post #7 of 12 (1600 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

2009/10/27 Michael Orlitzky <michael [at] orlitzky>:
> * �Non-free video drivers
> * �Wine
> * �Mplayer
> * �OpenOffice
>
> usually fail unless you switch to vanilla GCC temporarily. Although, now
> that gcc-4.x is stable, we can probably file these as bugs and get them
> fixed.
Wine doesn't fail for me but you must mark -m the wine-preloader
binary if you use PAX.

p.labushev at gmail

Oct 27, 2009, 3:50 PM

Post #8 of 12 (1610 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

Michael Orlitzky wrote:

> using hardened for a desktop machine. A few packages, e.g.

> * Mplayer
> * OpenOffice

There wasn't a /single/ failure on x86 with these two for me, despite I
compiled it with 3.4.6/4.1.2/4.3.3 - all are hardened and allways with
SSP flags enabled in specs. So at least it worth a try before switching
to vanilla compilers.

> usually fail unless you switch to vanilla GCC temporarily. Although, now

p.labushev at gmail

Oct 27, 2009, 3:53 PM

Post #9 of 12 (1607 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

klondike wrote:
> 2009/10/27 Michael Orlitzky <michael [at] orlitzky>:
>> * Non-free video drivers
>> * Wine
>> * Mplayer
>> * OpenOffice
>>
>> usually fail unless you switch to vanilla GCC temporarily. Although, now
>> that gcc-4.x is stable, we can probably file these as bugs and get them
>> fixed.
> Wine doesn't fail for me but you must mark -m the wine-preloader
> binary if you use PAX.

Btw, Wine was fine too with hardened GCC 4.x on x86, just without SSP
and with the right PaX flags on the binaries.

kutulu at kutulu

Oct 27, 2009, 7:59 PM

Post #10 of 12 (1600 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

On 10/27/2009 6:50 PM, Pavel Labushev wrote:
> Michael Orlitzky wrote:
>
>> using hardened for a desktop machine. A few packages, e.g.
>
>> * Mplayer
>> * OpenOffice
>
> There wasn't a /single/ failure on x86 with these two for me, despite I
> compiled it with 3.4.6/4.1.2/4.3.3 - all are hardened and allways with
> SSP flags enabled in specs. So at least it worth a try before switching
> to vanilla compilers.

Both of these fail for me on hardened amd64, though my
admittedly sketchy memory tells me both built fine when I
was running hardened x86 on the same hardware a few months back.

The mplayer failure is the same one that's always caused
problems for SSP -- running out of registers in parts of the
assembly code. The OOo build fails on three separate steps
for three seemingly unrelated reasons, none of which I have
had time to chase down.

--Mike

michael at orlitzky

Oct 27, 2009, 9:33 PM

Post #11 of 12 (1598 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

Mike Edenfield wrote:
> On 10/27/2009 6:50 PM, Pavel Labushev wrote:
>> Michael Orlitzky wrote:
>>
>>> using hardened for a desktop machine. A few packages, e.g.
>>
>>> * Mplayer
>>> * OpenOffice
>>
>> There wasn't a /single/ failure on x86 with these two for me, despite I
>> compiled it with 3.4.6/4.1.2/4.3.3 - all are hardened and allways with
>> SSP flags enabled in specs. So at least it worth a try before switching
>> to vanilla compilers.
>
> Both of these fail for me on hardened amd64, though my admittedly
> sketchy memory tells me both built fine when I was running hardened x86
> on the same hardware a few months back.
>
> The mplayer failure is the same one that's always caused problems for
> SSP -- running out of registers in parts of the assembly code. The OOo
> build fails on three separate steps for three seemingly unrelated
> reasons, none of which I have had time to chase down.

OpenOffice fails about an hour into compilation for me, so screw that.
All of my desktop machines are amd64 -- x86 users might have better
luck, especially now that 4.x is stable.

If you have any trouble during the 'emerge -ve world', please unleash a
fury upon bugzilla.

kutulu at kutulu

Oct 29, 2009, 2:55 PM

Post #12 of 12 (1580 views)
Permalink

Re: gcc-4.3.4 stabilized for a hardened profile? [In reply to]

On 10/28/2009 12:33 AM, Michael Orlitzky wrote:
> Mike Edenfield wrote:

>> The OOo
>> build fails on three separate steps for three seemingly unrelated
>> reasons, none of which I have had time to chase down.

> OpenOffice fails about an hour into compilation for me, so screw that.
> All of my desktop machines are amd64 -- x86 users might have better
> luck, especially now that 4.x is stable.

My current testing seems to indicate that this is a problem with the
OpenOffice build and PaX, not with the hardened toolchain itself -- I
was able to build successfully by turning on softmode first. Whether
that makes it easier or harder to "fix" the build problems, I dunno.

--Mike

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads