Default compiler hardening flags used to build packages for Linux distributions

.	Alpine	Debian	Fedora	Gentoo	Gentoo Hardened	Ubuntu	OpenSUSE	ArchLinux	OpenBSD	Chimera Linux	Android	Google Chrome
-fhardened	NA	no	no	no	no	no	?	no	NA	?	NA	?
-D_FORTIFY_SOURCE=2	yes	2011	2007	yes	superseded	2008	2005	2021	?	yes	2017	yes
-D_FORTIFY_SOURCE=3	no	no	2023	no	2022	2024	2023	2024	?	2024	no	yes
-D_GLIBCXX_ASSERTIONS	2023	no	2018	no	2022	no	yes	2021	no	no	no	?
-D_LIBCPP_HARDENING_MODE_HARDENED/-flibc++-hardening	no	no	no	no	?	no	no	no	?	?	no	?
-D_LIBCPP_ENABLE_HARDENED_MODE (deprecated)	not yet1	no	no	no	2023	no	no	no	?	?	no	yes
-D_LIBCXX_ENABLE_ASSERTIONS (llvm16)	no	no	no	no	superseded	no	no	no	?	yes	?	yes
-Wformat -Wformat-security/-Wformat=2	2023	2011	2013	2009	2009	2008	yes	2021	?	2023	2010	yes
-Wl,-z,noexecstack	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes	yes
-Wl,-z,relro/-Wl,-z,now	yes	yes	2015	no	yes	2008	2006	2017	?	yes	2013	yes
-fPIE/-fPIC/…	2008	2011	2015	yes	yes	2016	2017	2017	yes	yes	2012	yes
-fcf-protection/-mcet2	no	2023	2018	no	2021	2019	yes	2021	2023	no	no	?
-fsanitize=bounds	no	no	no	no	no	no	no	no	no	no	2019, partial	no
-fsanitize=cfi2	no	no	no	no	no	no	no	no	no	partial	2018, partial	?
-fsanitize=safe-stack2	no	no	no	no	no	no	no	no	no	no	?	?
-fsanitize=shadow-call-stack2	no	no	no	no	no	no	no	no	no	no	2019, partial	?
-fsanitize=signed-integer-overflow/-ftrapv	no	no	no	no	no	no	no	no	no	yes	2018, partial	?
-fsanitize=undefined	no	no	no	no	no	no	no	no	?	no	?	?
-fstack-clash-protection	2023	yes	2018	no	2018	2019	2018	2021	?	yes	?	?
-fstack-protector-strong	yes	yes	yes	yes	yes	2014	2006	2014	yes	yes	2015	?
-fstack-protector	superseded	superseded	superseded	superseded	superseded	superseded	superseded	superseded	superseded	superseded	2009	?
-ftrivial-auto-var-init=zero	no	no	no	no	no	no	no	no	?	2023	2020	?
-mbranch-protection=standard/-mbranch-target-enforce	no	2023	2020	no	no	2023	no	no	2023	no	?	?
-msign-return-address=[all/non-leaf]	no	superseded	superseded	no	no	superseded	no	no	superseded	superseded	?	?
-mshstk	no	no	no	no	no	no	no	no	no	no	?	?

Note that:

• some flags are incompatible between each other
• some flags are more useful than others
• some flags are superseding some others
• some libc are incompatible with some flags
• "partial" means "enabled in a lot of places, but not everywhere, with substantial caveats"
• while Google Chrome isn't a distribution, given the size of its source code, it's close enough™ to warrant inclusion in the table.

Please do not expect these flags to be enabled in a distros compiler. This repo only tracks compiler hardening flags used to build packages (e.g., rpms or debs). For example, in the deb world settings from both gcc and dpkg are used to build package archives. In most cases Ubuntu sets security hardening flags in the compiler, but a few are only set in dpkg. On Debian and Ubuntu the most recent release's archive builds arm64 packages with -mbranch-protection=standard, but you need to manually set the flag when compiling your own code.

Sources and resources:

• https://src.fedoraproject.org/rpms/redhat-rpm-config//blob/rawhide/f/buildflags.md
• https://en.opensuse.org/openSUSE:Security_Features
• https://gcc.gnu.org/pipermail/gcc-patches/2023-August/628748.html
• https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes
• https://gitlab.archlinux.org/archlinux/rfcs/-/blob/master/rfcs/0003-buildflags.rst?ref_type=heads
• https://man.openbsd.org/clang-local
• https://sergesanspaille.fedorapeople.org/lpc2020.pdf
• https://wiki.ubuntu.com/Security/Features
• https://wiki.ubuntu.com/ToolChain/CompilerFlags
• https://fedoraproject.org/wiki/Security_Features_Matrix
• https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html

Footnotes

1. As -D_LIBCPP_ENABLE_HARDENED_MODE only works for llvm18, which isn't in Alpine yet. It replaces -D_LIBCPP_ASSERT and -D_LIBCPP_ENABLE_ASSERTIONS. ↩

2. Not supported by musl libc ↩ ↩² ↩³ ↩⁴