Re: Default hardening options

[David Brownlee <abs%absd.org@localhost>]

On Fri, 6 Aug 2021 at 06:03, Greg Troxel <gdt%lexort.com@localhost> wrote:
>
> Given that you've been running with them and things seem ok, I think
> it's reasonable to adjust the defaults.  Surely we have variables to set
> per-package to opt out for packages known to be troubled, and I suspect
> people with higher defaults locally have found most of those.

Just started rebuilding everything on netbsd-9/amd64 and first build
casualty seems to be git-base with an ICE (see below). I'm very much
in favour of moving to more secure defaults - could I suggest
something along the lines of confirming the docs for overriding on a
per package basis are all ready, make an announcement (including links
to the docs :-p) encouraging people to test now, with a plan to switch
after the next branch?

pkgsrc/devel/git-base build error - I assume this is limited to some
combination of gcc version - once I track down which option is causing
the problem should the disabling be based on NetBSD version & use of
gcc, or gcc version?

David

In file included from builtin/rebase.c:20:0:
builtin/rebase.c: In function 'cmd_rebase__interactive':
builtin/rebase.c:493:37: internal compiler error: in recompute_tree_invariant_fo
r_addr_expr, at tree.c:4282
   OPT_CALLBACK_F('k', "keep-empty", &options, NULL,
./parse-options.h:153:32: note: in definition of macro 'OPT_CALLBACK_F'
  { OPTION_CALLBACK, (s), (l), (v), (a), (h), (f), (cb) }