:: Re: [maemo-leste] Updating packages
Top Page
Delete this message
Reply to this message
Author: Merlijn Wajer
To: Arthur D., Ivaylo Dimitrov
CC: maemo-leste
Subject: Re: [maemo-leste] Updating packages

On 04/03/2019 05:20, Arthur D. wrote:
> Hello guys.
> I'm currently migrating the packages I have in touch to newer debian
> compat level. And there's one thing I want to discuss.
> Recently I noticed that binaries in migrated packages are bigger in
> size. Let's take for example, libosso1 package. It's binary sizes for
> migrated vs non-migrated:
> libosso.so.1.3.0  51204
> libosso.so.1.3.0  47092
> It's about 8% increase.
> So I figured out what was the reason. And it's the usage of gcc/g++
> -fstack-protector-strong option in debian upstream. You may read
> about this option here https://wiki.debian.org/Hardening and here
> https://lwn.net/Articles/584225/
> So my question is:
> * should we avoid using this option in our packages to have our binaries
> less in space + work faster but with lack of some security protection from
> stack attacks?

The overhead here is not significant and there is real benefit to this
hardening. I would just go with whatever Debian does by default. It took
them long enough to add this in the first place -- I've been doing this
over 10 years in Gentoo.

>  OR
> * just use debian upstream CFLAGS with additional security to the binaries
> it offers?

This seems like the right thing to do.

> We may also have this option enabled for some packages and disabled for
> others,
> so we will need to maintain a list of packages which should be protected
> and
> which should not.

All of them? :)

> One more thing to consider is that until now most of our packages are not
> migrated to modern debian compat level / sequencer. So they are unprotected
> just like in Maemo Fremantle.

That's a good point. We should definitely migrate it all over eventually.