From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <asheplyakov@basealt.ru>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 sa.local.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.3 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 RP_MATCHES_RCVD autolearn=unavailable autolearn_force=no version=3.4.1
To: devel@lists.altlinux.org
References: <20210824182050.GA5179@altlinux.org>
 <20210825052750.pcv2xtridwc3wgqq@titan.localdomain>
 <20210825084640.2412f2e2@homerun.localdomain>
From: Alexey Sheplyakov <asheplyakov@basealt.ru>
Message-ID: <8f4e0241-d31f-04fa-ede2-ec000aaa0a0d@basealt.ru>
Date: Wed, 25 Aug 2021 11:12:20 +0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <20210825084640.2412f2e2@homerun.localdomain>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Subject: Re: [devel] I: LTO in %optflags by default
X-BeenThere: devel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux Team development discussions <devel@lists.altlinux.org>
List-Id: ALT Linux Team development discussions <devel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel>,
 <mailto:devel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel>
List-Post: <mailto:devel@lists.altlinux.org>
List-Help: <mailto:devel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel>,
 <mailto:devel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Aug 2021 07:12:23 -0000
Archived-At: <http://lore.altlinux.org/devel/8f4e0241-d31f-04fa-ede2-ec000aaa0a0d@basealt.ru/>
List-Archive: <http://lore.altlinux.org/devel/>
List-Post: <mailto:devel@altlinux.org>

Добрый день!

On 25.08.2021 09:46, Denis Medvedev wrote:

> -mmitigate-rop
> Attempt to compile code without unintended return addresses, making ROP just a little harder.
> 
> -mindirect-branch=thunk -mfunction-return=thunk
> Enables retpoline (return trampolines) to mitigate some variants of Spectre V2. The second flag is necessary on Skylake+ due to the fact that the branch target buffer is vulnerable.

Для некоторых архитектур, для отдельных приложений (ssh, gpg), возможно, и имеет смысл.
А "счастья всем, даром, и пусть никто не уйдёт обиженным" - спасибо, не надо.

> -pie -fPIE
> Required to obtain the full security benefits of ASLR.

Уже включили. Его бы **отключить**. Особенно на 32-битных архитектурах.

> -ftrapv
> Generates traps for signed overflow (currently bugged in gcc, and may interfere with UBSAN). 

На ровном месте урезать возможности оптимизации? Нет, спасибо.
Вы ещё предложите с -O0 собирать.
Самое главное - это не сделает код с UB более безопасным.