[V2] defaultsetup.conf: Enable security flags+pie by default

Message ID 20180727074130.19685-1-raj.khem@gmail.com
State New
Headers show
Series
  • [V2] defaultsetup.conf: Enable security flags+pie by default
Related show

Commit Message

Khem Raj July 27, 2018, 7:41 a.m.
This has been an opt-in for so long, some distributions e.g.
poky-lsb uses it by default however, since most of linux
distros have started to default to these settings for security
enhancements, time has come for OE to make it default too

remove documentation from advanced local.conf sample

Signed-off-by: Khem Raj <raj.khem@gmail.com>

---
v2:
- Remove references to explicitly enabling security flags

 meta/conf/distro/defaultsetup.conf   |  1 +
 meta/conf/local.conf.sample.extended | 11 -----------
 2 files changed, 1 insertion(+), 11 deletions(-)

-- 
2.18.0

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Andrea Adami Sept. 7, 2018, 1:28 p.m. | #1
What is holding back this patch?

Cheers
Andrea
On Fri, Jul 27, 2018 at 9:41 AM Khem Raj <raj.khem@gmail.com> wrote:
>

> This has been an opt-in for so long, some distributions e.g.

> poky-lsb uses it by default however, since most of linux

> distros have started to default to these settings for security

> enhancements, time has come for OE to make it default too

>

> remove documentation from advanced local.conf sample

>

> Signed-off-by: Khem Raj <raj.khem@gmail.com>

> ---

> v2:

> - Remove references to explicitly enabling security flags

>

>  meta/conf/distro/defaultsetup.conf   |  1 +

>  meta/conf/local.conf.sample.extended | 11 -----------

>  2 files changed, 1 insertion(+), 11 deletions(-)

>

> diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf

> index ca2f9178d2..352e279596 100644

> --- a/meta/conf/distro/defaultsetup.conf

> +++ b/meta/conf/distro/defaultsetup.conf

> @@ -1,6 +1,7 @@

>  include conf/distro/include/default-providers.inc

>  include conf/distro/include/default-versions.inc

>  include conf/distro/include/default-distrovars.inc

> +require conf/distro/include/security_flags.inc

>  include conf/distro/include/world-broken.inc

>

>  TCMODE ?= "default"

> diff --git a/meta/conf/local.conf.sample.extended b/meta/conf/local.conf.sample.extended

> index e698acb84b..7f107831ee 100644

> --- a/meta/conf/local.conf.sample.extended

> +++ b/meta/conf/local.conf.sample.extended

> @@ -270,17 +270,6 @@

>  #COPYLEFT_RECIPE_TYPES = 'target'

>  #

>

> -#

> -# GCC/LD FLAGS to enable more secure code generation

> -#

> -# By including the security_flags include file you enable flags

> -# to the compiler and linker that cause them to generate more secure

> -# code, this is enabled by default in the poky-lsb distro.

> -# This does affect compile speed slightly.

> -#

> -# Use the following line to enable the security compiler and linker flags to your build

> -#require conf/distro/include/security_flags.inc

> -

>  # Image level user/group configuration.

>  # Inherit extrausers to make the setting of EXTRA_USERS_PARAMS effective.

>  #INHERIT += "extrausers"

> --

> 2.18.0

>

> --

> _______________________________________________

> Openembedded-core mailing list

> Openembedded-core@lists.openembedded.org

> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Richard Purdie Sept. 11, 2018, 11:03 a.m. | #2
On Fri, 2018-09-07 at 15:28 +0200, Andrea Adami wrote:
> What is holding back this patch?


I think there were concerns about changing the OE defaults like this so
Khem and I agreed to merge it into poky as a default there for now.
There are probably a few defaults in poky we should have in
defaultsetup but those changes tend to be disruptive and
controversial...

Cheers,

Richard
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Patch

diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf
index ca2f9178d2..352e279596 100644
--- a/meta/conf/distro/defaultsetup.conf
+++ b/meta/conf/distro/defaultsetup.conf
@@ -1,6 +1,7 @@ 
 include conf/distro/include/default-providers.inc
 include conf/distro/include/default-versions.inc
 include conf/distro/include/default-distrovars.inc
+require conf/distro/include/security_flags.inc
 include conf/distro/include/world-broken.inc
 
 TCMODE ?= "default"
diff --git a/meta/conf/local.conf.sample.extended b/meta/conf/local.conf.sample.extended
index e698acb84b..7f107831ee 100644
--- a/meta/conf/local.conf.sample.extended
+++ b/meta/conf/local.conf.sample.extended
@@ -270,17 +270,6 @@ 
 #COPYLEFT_RECIPE_TYPES = 'target'
 #
 
-#
-# GCC/LD FLAGS to enable more secure code generation
-#
-# By including the security_flags include file you enable flags
-# to the compiler and linker that cause them to generate more secure
-# code, this is enabled by default in the poky-lsb distro.
-# This does affect compile speed slightly.
-#
-# Use the following line to enable the security compiler and linker flags to your build
-#require conf/distro/include/security_flags.inc
-
 # Image level user/group configuration.
 # Inherit extrausers to make the setting of EXTRA_USERS_PARAMS effective.
 #INHERIT += "extrausers"