| Message ID | 20180727074130.19685-1-raj.khem@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [V2] defaultsetup.conf: Enable security flags+pie by default | expand |
What is holding back this patch? Cheers Andrea On Fri, Jul 27, 2018 at 9:41 AM Khem Raj <raj.khem@gmail.com> wrote: > > This has been an opt-in for so long, some distributions e.g. > poky-lsb uses it by default however, since most of linux > distros have started to default to these settings for security > enhancements, time has come for OE to make it default too > > remove documentation from advanced local.conf sample > > Signed-off-by: Khem Raj <raj.khem@gmail.com> > --- > v2: > - Remove references to explicitly enabling security flags > > meta/conf/distro/defaultsetup.conf | 1 + > meta/conf/local.conf.sample.extended | 11 ----------- > 2 files changed, 1 insertion(+), 11 deletions(-) > > diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf > index ca2f9178d2..352e279596 100644 > --- a/meta/conf/distro/defaultsetup.conf > +++ b/meta/conf/distro/defaultsetup.conf > @@ -1,6 +1,7 @@ > include conf/distro/include/default-providers.inc > include conf/distro/include/default-versions.inc > include conf/distro/include/default-distrovars.inc > +require conf/distro/include/security_flags.inc > include conf/distro/include/world-broken.inc > > TCMODE ?= "default" > diff --git a/meta/conf/local.conf.sample.extended b/meta/conf/local.conf.sample.extended > index e698acb84b..7f107831ee 100644 > --- a/meta/conf/local.conf.sample.extended > +++ b/meta/conf/local.conf.sample.extended > @@ -270,17 +270,6 @@ > #COPYLEFT_RECIPE_TYPES = 'target' > # > > -# > -# GCC/LD FLAGS to enable more secure code generation > -# > -# By including the security_flags include file you enable flags > -# to the compiler and linker that cause them to generate more secure > -# code, this is enabled by default in the poky-lsb distro. > -# This does affect compile speed slightly. > -# > -# Use the following line to enable the security compiler and linker flags to your build > -#require conf/distro/include/security_flags.inc > - > # Image level user/group configuration. > # Inherit extrausers to make the setting of EXTRA_USERS_PARAMS effective. > #INHERIT += "extrausers" > -- > 2.18.0 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
On Fri, 2018-09-07 at 15:28 +0200, Andrea Adami wrote:
> What is holding back this patch?
I think there were concerns about changing the OE defaults like this so
Khem and I agreed to merge it into poky as a default there for now.
There are probably a few defaults in poky we should have in
defaultsetup but those changes tend to be disruptive and
controversial...
Cheers,
Richard
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf index ca2f9178d2..352e279596 100644 --- a/meta/conf/distro/defaultsetup.conf +++ b/meta/conf/distro/defaultsetup.conf @@ -1,6 +1,7 @@ include conf/distro/include/default-providers.inc include conf/distro/include/default-versions.inc include conf/distro/include/default-distrovars.inc +require conf/distro/include/security_flags.inc include conf/distro/include/world-broken.inc TCMODE ?= "default" diff --git a/meta/conf/local.conf.sample.extended b/meta/conf/local.conf.sample.extended index e698acb84b..7f107831ee 100644 --- a/meta/conf/local.conf.sample.extended +++ b/meta/conf/local.conf.sample.extended @@ -270,17 +270,6 @@ #COPYLEFT_RECIPE_TYPES = 'target' # -# -# GCC/LD FLAGS to enable more secure code generation -# -# By including the security_flags include file you enable flags -# to the compiler and linker that cause them to generate more secure -# code, this is enabled by default in the poky-lsb distro. -# This does affect compile speed slightly. -# -# Use the following line to enable the security compiler and linker flags to your build -#require conf/distro/include/security_flags.inc - # Image level user/group configuration. # Inherit extrausers to make the setting of EXTRA_USERS_PARAMS effective. #INHERIT += "extrausers"
This has been an opt-in for so long, some distributions e.g. poky-lsb uses it by default however, since most of linux distros have started to default to these settings for security enhancements, time has come for OE to make it default too remove documentation from advanced local.conf sample Signed-off-by: Khem Raj <raj.khem@gmail.com> --- v2: - Remove references to explicitly enabling security flags meta/conf/distro/defaultsetup.conf | 1 + meta/conf/local.conf.sample.extended | 11 ----------- 2 files changed, 1 insertion(+), 11 deletions(-) -- 2.18.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core