Hi,
On 2022-08-30 14:07:41 -0400, Tom Lane wrote:
> Andres Freund <andres@anarazel.de> writes:
> > On 2022-08-30 13:24:39 -0400, Tom Lane wrote:
> >> Andres Freund <andres@anarazel.de> writes:
> >>> Perhaps it'd be saner to default to building with -Wl,-z,now? That should fix
> >>> the problem too, right (and if we combine it with relro, it'd be a security
> >>> improvement to boot).
>
> >> Hm. Not sure if that works on NetBSD, but I'll check it out.
>
> > FWIW, it's a decently (well over 10 years) old thing I think. And it's documented in
> > the netbsd ld manpage and their packaging guide (albeit indirectly, with their
> > tooling doing the work of specifying the flags):
> > https://www.netbsd.org/docs/pkgsrc/hardening.html#hardening.audit.relrofull
>
> It does appear that they use GNU ld, and I've just finished confirming
> that each of those switches has the expected effects on my PPC box.
> So yeah, this looks like a better answer.
Cool.
> Do we want to install this just for NetBSD, or more widely?
> I think we'd better back-patch it for NetBSD, so I'm inclined
> to be conservative about the change.
It's likely a good idea to enable it everywhere applicable, but I agree that
we shouldn't unnecessarily do so in the backbranches. So I'd be inclined to
add it to the netbsd template for the backbranches.
For HEAD I can see putting it into all the applicable templates, adding an
AC_LINK_IFELSE() test, or just putting it into the meson stuff.
Greetings,
Andres Freund