On 5/14/22 00:48, Aaron Puchert wrote:
Am 13.05.22 um 15:19 schrieb Dominique Leuenberger / DimStar:
* Attempting to build the distro using FORTIFY_SOURCE=3 instead of FORTIFY_SOURCE=2
Is that really a good default though? The RedHat blog [1] writes
Earlier _FORTIFY_SOURCE levels rely on constant object sizes; because of this, the runtime overhead is negligible. _FORTIFY_SOURCE=3, however, changes that because expressions used to compute the object size can be arbitrarily complex. Complex expressions can add arbitrarily more runtime overhead. Further, consider the possibility of do_something in the previous example being called in a loop; the overhead gets magnified.
Hi. We hope the overhead will be reasonable even though it's not so constant as FS=2. If there are affected packages, we can drop the fortification level for them. Martin
This was a good enough reason to not sneak
this new functionality in under the hood. The new level lets developers tinker around with it and decide whether the overhead was acceptable for their use case.