Re: Stack Smash Protection disabled (was HEADS-UP: Stack Smash Protection enabled by default for amd64 and i386)

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On Nov 12, 2009, at 3:30 PM, Elad Efrat wrote:

> Matthias Scheler wrote:
>> On Wed, Nov 11, 2009 at 04:55:07PM +0000, Matthias Scheler wrote:
>>> SSP will result in a slowdown of about 5%, please read this thread
>>> for more details:
>> After protests from multiple developer because of the performance hit
>> I've reverted the changes. SSP is now off by default (except for
>> library and network daemon builds) on all platforms, in particular
>> for NetBSD/amd64 and NetBSD/i386 kernels.
> 
> Unfortunately for rmind@, pooka@, and haad@, until proven otherwise,
> it seems more developers are interested in having SSP enabled by
> default. Please put it back. No developers are more equal than others.
> 
I don't know who has opposed it and I'm not particularly interested in names.  
It would be nice to get a sense of the consensus -- I would certainly like it 
on by default.  The hit is only 5%?  If my math is right, that's about 5 weeks 
worth of Moore's Law bonus; I think we can afford it.  It's especially true for 
amd64, where there isn't much 15-year-old steam-powered, legacy hardware around.

In the meantime, is there something I can put into mk.conf to enable it when I 
do my own builds?  What about for pkgsrc builds?

                --Steve Bellovin, http://www.cs.columbia.edu/~smb