[OE-core] [PATCH] defaultsetup.conf: Enable security flags+pie by default
Khem Raj
raj.khem at gmail.com
Tue Jul 24 14:12:21 UTC 2018
On Tue, Jul 24, 2018 at 12:30 AM ChenQi <Qi.Chen at windriver.com> wrote:
>
> Hi Khem,
>
> The comments in security-flags.inc also needs to be modified to remove
> 'poky-lsb' info.
>
> I'd suggest we still put it into distro conf file (poky.conf) instead of
> defaultsetup.conf, because defaultsetup.conf is included by
> bitbake.conf. I think things in defaultsetup.conf should be necessary
> default values to build things out. I don't think security flags is
> necessary to build things out.
this is the default setup, even non-poky users will get consistent experience.
>
> Also, I got a question when I just looked at this file.
> Do you think we should adjust CFLAGS and LDFALGS in security_flags.inc
> instead of the current TARGET_CC_ARCH and TARGET_LDFLAGS?
in many cases packages do not honor CFLAGS/LDFLAGS say during configure
We are naming
> variables to SECURITY_CFLAGS and SECURITY_LDFLAGS, it seems that they
> belong to CFLAGS and LDFLAGS naturally. But I'm not sure about it.
>
yes they do, but this makes it easy to override the setting for packages where
these options are needed to be overridden or modified.
> Best Regards,
> Chen Qi
>
>
> On 07/24/2018 03:09 AM, Khem Raj wrote:
> > This has been an opt-in for so long, some distributions e.g.
> > poky-lsb uses it by default however, since most of linux
> > distros have started to default to these settings for security
> > enhancements, time has come for OE to make it default too
> >
> > Signed-off-by: Khem Raj <raj.khem at gmail.com>
> > ---
> > meta/conf/distro/defaultsetup.conf | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/meta/conf/distro/defaultsetup.conf b/meta/conf/distro/defaultsetup.conf
> > index ca2f9178d2..352e279596 100644
> > --- a/meta/conf/distro/defaultsetup.conf
> > +++ b/meta/conf/distro/defaultsetup.conf
> > @@ -1,6 +1,7 @@
> > include conf/distro/include/default-providers.inc
> > include conf/distro/include/default-versions.inc
> > include conf/distro/include/default-distrovars.inc
> > +require conf/distro/include/security_flags.inc
> > include conf/distro/include/world-broken.inc
> >
> > TCMODE ?= "default"
>
>
More information about the Openembedded-core
mailing list