Browse files

Document the binary hardening measures

  • Loading branch information...
1 parent 349e2d2 commit b5ab0d073647c4ad61dfe9552c1849a0f230bced @kmcallister kmcallister committed with keithw Mar 25, 2012
Showing with 12 additions and 1 deletion.
  1. +12 −1
@@ -110,10 +110,21 @@ Advice to distributors
A note on compiler flags: Mosh is security-sensitive code. When making
automated builds for a binary package, we recommend passing the option
-`--enable-compile-warnings=error` to ./configure. On GNU/Linux with
+`--enable-compile-warnings=error` to `./configure`. On GNU/Linux with
`g++` or `clang++`, the package should compile cleanly with
`-Werror`. Please report a bug if it doesn't.
+Where available, Mosh builds with a variety of binary hardening flags
+such as `-fstack-protector-all`, `-D_FORTIFY_SOURCE=2`, etc. These
+provide proactive security against the possibility of a memory
+corruption bug in Mosh or one of the libraries it uses. For a full
+list of flags, search for `HARDEN` in ``. The `configure`
+script detects which flags are supported by your compiler, and enables
+them automatically. To disable this detection, pass
+`--disable-hardening` to `./configure`. Please report a bug if you
+have trouble with the default settings; we would like as many users as
+possible to be running a configuration as secure as possible.
Mosh ships with a default optimization setting of `-O2`. Some
distributors have asked about changing this to `-Os` (which causes a
compiler to prefer space optimizations to time optimizations). We have

0 comments on commit b5ab0d0

Please sign in to comment.