At Thu, 12 Nov 2009 19:46:16 +0000, Matthias Scheler
<tron%zhadum.org.uk@localhost> wrote:
Subject: Re: Stack Smash Protection disabled (was HEADS-UP: Stack Smash
Protection enabled by default for amd64 and i386)
>
>
> On 12 Nov 2009, at 18:54, Julio Merino wrote:
>
> > On Thu, Nov 12, 2009 at 2:39 PM, Matthias Scheler
> > <tron%netbsd.org@localhost> wrote:
> >> On Wed, Nov 11, 2009 at 04:55:07PM +0000, Matthias Scheler wrote:
> >>> SSP will result in a slowdown of about 5%, please read this thread
> >>> for more details:
> >>
> >> After protests from multiple developer because of the performance hit
> >> I've reverted the changes. SSP is now off by default (except for
> >> library and network daemon builds) on all platforms, in particular
> >> for NetBSD/amd64 and NetBSD/i386 kernels.
> >
> > I'm wondering: how many developers did protest?
>
> The original discussion on "port-i386": none
> Two developers asked for benchmark numbers which were provided.
So, nobody actually _protested_? (I don't recall any real protest)
I'd say if developer protests this then they must be kinda lazy -- if
they can't keep a local change that turns it off for their own personal
builds!
I strongly believe tools such as SSP and FORTIFY and such should be
turned on by default in as many builds as possible, and certainly by
default in -current (an maybe even in the release branches too, though
perhaps not for final release builds).
Turning off execute permission for all stack and heap pages by default
on whichever ports is possible would also be very welcome!
--
Greg A. Woods
Planix, Inc.
<woods%planix.com@localhost> +1 416 218 0099 http://www.planix.com/
Attachment:
pgpxDv_NgIzlV.pgp
Description: PGP signature