Clarify compiler options hardening limitations when linking to pre-built artifacts #706
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Looks good to me! Thanks!! |
|
|
||
| Compiler options hardening is not a silver bullet; it is not sufficient to rely solely on security features and functions to achieve secure software. Security is an emergent property of the entire system that relies on building and integrating all parts properly. However, if properly used, secure compiler options will complement existing processes, such as static and dynamic analysis, secure coding practices, negative test suites, profiling tools, and most importantly: security hygiene as a part of a solid design and architecture. | ||
|
|
||
| Hardened compiler options only take effect in code that is compiled with the hardened options. Consequently, compiler options hardening does not benefit software that has been pre-built before hardened options have been adopted. This is particularly a concern for projects that incorporate pre-built (possibly third-party) libraries or other components. In such cases, it is important to understand what components a project is being linked against, and how they in turn are built, to determine which components benefit from compiler options hardening. |
There was a problem hiding this comment.
While code generation obviously only takes place during compilation, some compiler option flags are passed on to the linker and thus can have an impact after compilation. See in particular the -Wl options. So this needs a small weakening:
s/Hardened compiler options only take effect/In most cases hardened compiler options only take effect/
s/Consequently, compiler options hardening does not benefit software/Consequently, most compiler options hardening does not benefit software/
There was a problem hiding this comment.
Fixed in 844372a.
…ilt artifacts Signed-off-by: Thomas Nyman <[email protected]>
thomasnyman
force-pushed
the
clarify-limitations-with-pre-built-artifacts
branch
from
02cbaba to
844372a
Compare
david-a-wheeler
approved these changes
Jan 23, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Clarify compiler options hardening limitations when linking to pre-built artifacts
Fixes #705