Hello guys.
I'm currently migrating the packages I have in touch to newer debian
compat level. And there's one thing I want to discuss.
Recently I noticed that binaries in migrated packages are bigger in
size. Let's take for example, libosso1 package. It's binary sizes for
migrated vs non-migrated:
libosso.so.1.3.0 51204
libosso.so.1.3.0 47092
It's about 8% increase.
So I figured out what was the reason. And it's the usage of gcc/g++
-fstack-protector-strong option in debian upstream. You may read
about this option here
https://wiki.debian.org/Hardening and here
https://lwn.net/Articles/584225/
So my question is:
* should we avoid using this option in our packages to have our binaries
less in space + work faster but with lack of some security protection from
stack attacks?
OR
* just use debian upstream CFLAGS with additional security to the binaries
it offers?
We may also have this option enabled for some packages and disabled for
others,
so we will need to maintain a list of packages which should be protected
and
which should not.
One more thing to consider is that until now most of our packages are not
migrated to modern debian compat level / sequencer. So they are unprotected
just like in Maemo Fremantle.
--
Best regards, Spinal