This switch is meant to be used by packages requiring an implementation of the
former libusb (as in devel/libusb). The original implementation can be
chosen by setting LIBUSB_TYPE to "native".
The alternative implementation libusb-compat (as in devel/libusb-compat) wraps
libusb1 (in devel/libusb1). This implementation can be chosen by setting
LIBUSB_TYPE to "compat". On NetBSD, it has the advantage of not requiring root
privileges to locate and use USB devices without a kernel driver.
This first part only imports the switch framework itself.
It currently tackles two problems:
- gcc(1) hard-coding full paths in debugging information (with one
caveat at the moment)
- ar(1) hard-coding user IDs in archive headers
This allows packages built from the same tree and options to produce
identical results bit by bit. This option should be combined with ASLR
and PKGSRC_MKPIE to avoid predictable address offsets for attackers
attempting to exploit security vulnerabilities.
This is still disabled by default, and only supports NetBSD so far.
As discussed on tech-pkg@
This is only actually in use where known supported.
Prepared for a while, also the default in the base system (for NetBSD and
numerous others), introduced on mailing-lists and in my talk "Hardening
pkgsrc", and finally accepted unanimously during pkgsrcCon 2017.
Used by Joyent already (according to jperkin@) and tested in EdgeBSD for a
couple years now (amd64 and i386).
The new options are, for FORTIFY:
"no" Do not pass any flags for FORTIFY
"weak" Pass -D_FORTIFY_SOURCE=1
"strong" Pass -D_FORTIFY_SOURCE=2
This allows users to reduce the level of FORTIFY specified if necessary
or desired. The previous setting as "yes" is now equivalent to "strong"
(the default when enabling).
The new options are, for RELRO:
"no" Do not pass any flags for RELRO
"partial" Pass -Wl,-z,relro
"full" Pass -Wl,-z,relro -Wl,-z,now
This allows users to reduce the level of RELRO specified if necessary or
desired. The previous setting as "yes" is now equivalent to "full" (the
default when enabling).
This is intended to match the changes committed by jperkin@ (for SSP)
after our discussion a (long) while back.
No functional change intended (with the settings supported so far).
