Hardened profiles improvements - 01/01/2023 00:00 GMT
Gentoo's hardened profiles are adopting two new modern toolchain hardening techniques: 1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0] 2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1] These will both be enabled by default with USE=hardened on sys-devel/gcc for >=sys-devel/gcc-12.2.1_p20221231. To view the existing list of hardening changes applied by the profiles, see the wiki [2]. Stable users may wish to add sys-devel/gcc-12.2.1_p20221231 into /etc/portage/package.accept_keywords if they wish to take advantage of these improvements early, before GCC 12 is marked stable. ## Migration To fully take advantage of these new settings, GCC must first be upgraded, and then all packages must be re-emerged: 1. # emerge --sync 2. # emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221231" 3. # gcc-config latest 4. # emerge --verbose --emptytree @world ## Troubleshooting In the event that some packages fail at runtime, please file a bug with the full details. To temporarily workaround the problem, it should be possible to recompile broken packages with the following *FLAGS: CFLAGS="$ -D_FORTIFY_SOURCE=2" CXXFLAGS="$ -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS" [0] https://bugs.gentoo.org/876893 [1] https://bugs.gentoo.org/876895 [2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes
Posted By: Sam James