[OE-core] [PATCH] defaultsetup.conf: Enable security flags+pie by default

[ChenQi]

Hi Khem,

The comments in security-flags.inc also needs to be modified to remove 
'poky-lsb' info.

I'd suggest we still put it into distro conf file (poky.conf) instead of 
defaultsetup.conf, because defaultsetup.conf is included by 
bitbake.conf. I think things in defaultsetup.conf should be necessary 
default values to build things out. I don't think security flags is 
necessary to build things out.

Also, I got a question when I just looked at this file.
Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc 
instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS? We are naming 
variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they 
belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it.

Best Regards,
Chen Qi


On 07/24/2018 03:09 AM, Khem Raj wrote:
> This has been an opt-in for so long, some distributions e.g.
> poky-lsb uses it by default however, since most of linux
> distros have started to default to these settings for security
> enhancements, time has come for OE to make it default too
>
> Signed-off-by: Khem Raj <raj.khem at gmail.com>
> ---
>   meta/conf/distro/defaultsetup.conf | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf
> index ca2f9178d2..352e279596 100644
> --- a/meta/conf/distro/defaultsetup.conf
> +++ b/meta/conf/distro/defaultsetup.conf
> @@ -1,6 +1,7 @@
>   include conf/distro/include/default-providers.inc
>   include conf/distro/include/default-versions.inc
>   include conf/distro/include/default-distrovars.inc
> +require conf/distro/include/security_flags.inc
>   include conf/distro/include/world-broken.inc
>   
>   TCMODE ?= "default"