[ubuntu-hardened] [16.04 LTS] Why Linux kernel is compiled using "-fstack-protector-all" option, instead of previously used "strong" variant?

[daniel curtis]

​Hello Steve

​>> Sorry for the delay (...)

No problem. Everything is OK and clarified. I would like to thank You one
more time. Your answer is very valuable and I understand it better now.
Thanks :- )

However, there is one more thing; I've checked latest systemd
v229-4ubuntu20 build log (for both arch.: amd64 and i386) and there is one
thing, which I've never saw (that's the first time):

​✗ checking if gcc supports flag -fstack-protector in envvar CFLAGS... yes
✗ checking if gcc supports flag -fstack-protector-strong in envvar
CFLAGS... yes​
​​
​I understand, that these two entries can be absolutely normal,​ but I'm
wondering about this:

✗ CFLAGS: (...) -fvisibility=hidden -fstack-protector
-fstack-protector-strong -fPIE --param=ssp-buffer-size=4 (...)

As we can see there are two fstack's options: one next to the other. I've
never had seen something similar. There always has been one variant used:
"all", "strong" etc. Here, we can see two options. Is it normall? Maybe
it's, but I'm wrong?

​Here is a build log (​amd64):

https://launchpadlibrarian.net/337558899/buildlog_ubuntu-
xenial-amd64.systemd_229-4ubuntu20_BUILDING.txt.gz​​

​Thanks, best regards. ​
​.
.​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20171012/a74096b4/attachment.html>