zimoun schreef op ma 21-03-2022 om 14:34 [+0100]:
> > * gcc can be compiled with `--enable-default-ssp --enable-default-
> > pie`
> > to enforce ssp and pic
> 
> You wrote [1]:
> 
> --8<---------------cut here---------------start------------->8---
> (define-public gcc
>   (package
>     (inherit gcc)
>     (arguments
>      (substitute-keyword-arguments (package-arguments gcc)
>      ((#:configure-flags flags
>        `(append (list "--enable-default-ssp" "--enable-default-pie")
>             ,flags)))))))
> --8<---------------cut here---------------end--------------->8---

I think it would be a lot simpler to just add this to the 'standard'
gcc configure flags, in (gnu packages gcc), given that probably the
idea is to do this hardening for all packages?  Needs a world-rebuild
though.

Alternatively, the ssp and order hardening flags can be set in CFLAGS
for individual packages, maybe by default in 'gnu-build-system' and the
like.

Alternatively, you could look into how "--with-c-toolchain" does
things.

Greetings,
Maxime.