Junde Yhi

Looks like a lot has been made regarding to the two security issues, but this tracking issue is not updated for a while.

Interesting flags we may want to consider: - CFLAGS - `-fexceptions` "is recommended for hardening of multi-threaded **C and C++** code" (RH) - `-fstack-clash-protection` "prevents attacks based on an overlapping...

Also we now enable `-fpermissive` by default. I personally think this is not a very good idea... and I propose a removal of this flag (given that Red Hat has...

Previously we have many packages failed to be built because of PIE. I looked a little bit into our GCC specs, and found out that our `hardened-ld` specs are unaware...

In c901619 we use `-flto=jobserver` instead of `-flto=$ABTHREADS`. Packagers may have seen this from time to time: ``` warning: jobserver unavailable: using -j1. Add `+' to parent make rule. ```...

For Rust packages, `RUSTFLAGS` environment variable can be set for `cargo` (The Rust package manager and build system) to apply to `rustc`, for not only the project itself but also...

Experimentally we want to enable the following two options in GCC configuration: - `--enable-default-pie` enables PIE by default (`-fpie` and `-fPIE`) - `--enable-default-ssp` enables `--fstack-protector-strong` by default This also avoids...

As @LionNatsu proposed, since some packages by default turn `-march=native` on, which breaks compatibility on machines less capable than the build machine, GCC specs may be used to strip such...

~~Lot's of TODO's~~ Lots of TODOs: I think this issue should be pinned on top and be tagged with help-wanted. Just now I went through 3.6. The good point is...