Hi,

On 04/03/2019 05:20, Arthur D. wrote:
> Hello guys.
>
> I'm currently migrating the packages I have in touch to newer debian
> compat level. And there's one thing I want to discuss.
>
> Recently I noticed that binaries in migrated packages are bigger in
> size. Let's take for example, libosso1 package. It's binary sizes for
> migrated vs non-migrated:
> libosso.so.1.3.0  51204
> libosso.so.1.3.0  47092
>
> It's about 8% increase.
>
> So I figured out what was the reason. And it's the usage of gcc/g++
> -fstack-protector-strong option in debian upstream. You may read
> about this option here https://wiki.debian.org/Hardening and here
> https://lwn.net/Articles/584225/
>
> So my question is:
>
> * should we avoid using this option in our packages to have our binaries
> less in space + work faster but with lack of some security protection from
> stack attacks?

The overhead here is not significant and there is real benefit to this
hardening. I would just go with whatever Debian does by default. It took
them long enough to add this in the first place -- I've been doing this
over 10 years in Gentoo.

>  OR
>
> * just use debian upstream CFLAGS with additional security to the binaries
> it offers?

This seems like the right thing to do.


> We may also have this option enabled for some packages and disabled for
> others,
> so we will need to maintain a list of packages which should be protected
> and
> which should not.

All of them? :)

> One more thing to consider is that until now most of our packages are not
> migrated to modern debian compat level / sequencer. So they are unprotected
> just like in Maemo Fremantle.

That's a good point. We should definitely migrate it all over eventually.

Cheers,
Merlijn