[meta-poky][PATCH] poky.conf: Enable security flags+pie by defaultEnable security flags+pie by default

[meta-poky][PATCH] poky.conf: Enable security flags+pie by defaultEnable security flags+pie by default

[Khem Raj]

This has been an opt-in for so long, some distributions e.g.
poky-lsb uses it by default however, since most of linux
distros have started to default to these settings for security
enhancements, time has come for OE to make it default too

Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
 meta-poky/conf/distro/poky.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
index 1c4feeceaa9..392c2383ee4 100644
--- a/meta-poky/conf/distro/poky.conf
+++ b/meta-poky/conf/distro/poky.conf
@@ -98,4 +98,5 @@ ERROR_QA_append = " ${WARN_TO_ERROR_QA}"
 require conf/distro/include/poky-world-exclude.inc
 require conf/distro/include/no-static-libs.inc
 require conf/distro/include/yocto-uninative.inc
+require conf/distro/include/security_flags.inc
 INHERIT += "uninative"
-- 
2.18.0

Re: [meta-poky][PATCH] poky.conf: Enable security flags+pie by defaultEnable security flags+pie by default

[Burton, Ross]

Interestingly, considering that poky-lsb used to do this, the
autobuilder is failing.  See the ross/flags row on
https://autobuilder.yocto.io/tgrid.

Ross

On 28 July 2018 at 03:46, Khem Raj <raj.khem@gmail.com> wrote:
> This has been an opt-in for so long, some distributions e.g.
> poky-lsb uses it by default however, since most of linux
> distros have started to default to these settings for security
> enhancements, time has come for OE to make it default too
>
> Signed-off-by: Khem Raj <raj.khem@gmail.com>
> ---
>  meta-poky/conf/distro/poky.conf | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
> index 1c4feeceaa9..392c2383ee4 100644
> --- a/meta-poky/conf/distro/poky.conf
> +++ b/meta-poky/conf/distro/poky.conf
> @@ -98,4 +98,5 @@ ERROR_QA_append = " ${WARN_TO_ERROR_QA}"
>  require conf/distro/include/poky-world-exclude.inc
>  require conf/distro/include/no-static-libs.inc
>  require conf/distro/include/yocto-uninative.inc
> +require conf/distro/include/security_flags.inc
>  INHERIT += "uninative"
> --
> 2.18.0
>
> --
> _______________________________________________
> poky mailing list
> poky@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/poky

Re: [meta-poky][PATCH] poky.conf: Enable security flags+pie by defaultEnable security flags+pie by default

[Khem Raj]

Hi Ross
On Sat, Jul 28, 2018 at 3:15 PM Burton, Ross <ross.burton@intel.com> wrote:
>
> Interestingly, considering that poky-lsb used to do this, the
> autobuilder is failing.  See the ross/flags row on
> https://autobuilder.yocto.io/tgrid.
>

https://autobuilder.yocto.io/builders/nightly-no-x11/builds/1160/steps/Running%20Sanity%20Tests/logs/stdio

This seems to be mark failed but all tests have passed. I wonder what
is marking it so.

musl one looks real, I will take a look

> Ross
>
> On 28 July 2018 at 03:46, Khem Raj <raj.khem@gmail.com> wrote:
> > This has been an opt-in for so long, some distributions e.g.
> > poky-lsb uses it by default however, since most of linux
> > distros have started to default to these settings for security
> > enhancements, time has come for OE to make it default too
> >
> > Signed-off-by: Khem Raj <raj.khem@gmail.com>
> > ---
> >  meta-poky/conf/distro/poky.conf | 1 +
> >  1 file changed, 1 insertion(+)
> >
> > diff --git a/meta-poky/conf/distro/poky.conf b/meta-poky/conf/distro/poky.conf
> > index 1c4feeceaa9..392c2383ee4 100644
> > --- a/meta-poky/conf/distro/poky.conf
> > +++ b/meta-poky/conf/distro/poky.conf
> > @@ -98,4 +98,5 @@ ERROR_QA_append = " ${WARN_TO_ERROR_QA}"
> >  require conf/distro/include/poky-world-exclude.inc
> >  require conf/distro/include/no-static-libs.inc
> >  require conf/distro/include/yocto-uninative.inc
> > +require conf/distro/include/security_flags.inc
> >  INHERIT += "uninative"
> > --
> > 2.18.0
> >
> > --
> > _______________________________________________
> > poky mailing list
> > poky@yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/poky

Re: [meta-poky][PATCH] poky.conf: Enable security flags+pie by defaultEnable security flags+pie by default

[Burton, Ross]

On 29 July 2018 at 02:57, Khem Raj <raj.khem@gmail.com> wrote:
> Hi Ross
> On Sat, Jul 28, 2018 at 3:15 PM Burton, Ross <ross.burton@intel.com> wrote:
>>
>> Interestingly, considering that poky-lsb used to do this, the
>> autobuilder is failing.  See the ross/flags row on
>> https://autobuilder.yocto.io/tgrid.
>>
>
> https://autobuilder.yocto.io/builders/nightly-no-x11/builds/1160/steps/Running%20Sanity%20Tests/logs/stdio
>
> This seems to be mark failed but all tests have passed. I wonder what
> is marking it so.

I've re-fired that to see if it goes away.

> musl one looks real, I will take a look

And the ppc builder basically exploded in fire.

Ross