Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Document the binary hardening measures

  • Loading branch information...
commit b5ab0d073647c4ad61dfe9552c1849a0f230bced 1 parent 349e2d2
@kmcallister kmcallister authored committed
Showing with 12 additions and 1 deletion.
  1. +12 −1 README.md
View
13 README.md
@@ -110,10 +110,21 @@ Advice to distributors
A note on compiler flags: Mosh is security-sensitive code. When making
automated builds for a binary package, we recommend passing the option
-`--enable-compile-warnings=error` to ./configure. On GNU/Linux with
+`--enable-compile-warnings=error` to `./configure`. On GNU/Linux with
`g++` or `clang++`, the package should compile cleanly with
`-Werror`. Please report a bug if it doesn't.
+Where available, Mosh builds with a variety of binary hardening flags
+such as `-fstack-protector-all`, `-D_FORTIFY_SOURCE=2`, etc. These
+provide proactive security against the possibility of a memory
+corruption bug in Mosh or one of the libraries it uses. For a full
+list of flags, search for `HARDEN` in `configure.ac`. The `configure`
+script detects which flags are supported by your compiler, and enables
+them automatically. To disable this detection, pass
+`--disable-hardening` to `./configure`. Please report a bug if you
+have trouble with the default settings; we would like as many users as
+possible to be running a configuration as secure as possible.
+
Mosh ships with a default optimization setting of `-O2`. Some
distributors have asked about changing this to `-Os` (which causes a
compiler to prefer space optimizations to time optimizations). We have
Please sign in to comment.
Something went wrong with that request. Please try again.