profile: update CFLAGS et al

I've been testing this stuff for months now, time for everyone to enjoy. Enabling -flto for execution speed improvement as well as a bunch of pending gcc 14 security flags which seem to work reliably without causing any issues.
pentoo · Nov 16, 2024 · 5d01dc9 · 5d01dc9
1 parent 3256b47
commit 5d01dc9
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 71 deletions.
diff --git a/profiles/pentoo/base/make.defaults b/profiles/pentoo/base/make.defaults
@@ -1,4 +1,4 @@
-# Copyright 2004-2023 Gentoo Foundation.
+# Copyright 2004-2024 Gentoo Foundation.
 # Distributed under the terms of the GNU General Public License v2
 # $Header: $
 
@@ -8,10 +8,14 @@ LDFLAGS="${LDFLAGS} -Wl,--defsym=__gentoo_check_ldflags__=0"
 
 #Adding -frecord-gcc-switches to help track down packages which don't respect *FLAGS
 #should probably leave a note in /etc/portage/make.conf about keeping this when override
-CFLAGS="${CFLAGS} -O3 -frecord-gcc-switches -pipe"
-CXXFLAGS="${CXXFLAGS} -O3 -frecord-gcc-switches -pipe"
-FFLAGS="${FFLAGS} -O3 -frecord-gcc-switches -pipe"
-FCFLAGS="${FCFLAGS} -O3 -frecord-gcc-switches pipe"
+SPEEDFLAGS="-O3 -flto"
+WARNINGFLAGS="-frecord-gcc-switches -Wstringop-overread"
+#adapted from gcc14 -fhardened without "-fPIE -pie"
+SECURITYFLAGS="-D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -ftrivial-auto-var-init=pattern -Wl,-z,relro,-z,now -fstack-protector-strong -fstack-clash-protection -fcf-protection=full"
+CFLAGS="${CFLAGS} -pipe ${SPEEDFLAGS} ${WARNINGFLAGS} ${SECURITYFLAGS}"
+CXXFLAGS="${CXXFLAGS} -pipe ${SPEEDFLAGS} ${WARNINGFLAGS} ${SECURITYFLAGS}"
+FFLAGS="${FFLAGS} -pipe ${SPEEDFLAGS} ${WARNINGFLAGS} ${SECURITYFLAGS}"
+FCFLAGS="${FCFLAGS} -pipe ${SPEEDFLAGS} ${WARNINGFLAGS} ${SECURITYFLAGS}"
 
 FEATURES="${FEATURES} usersandbox protect-owned userpriv userfetch fixlafiles news parallel-fetch sfperms unmerge-orphans unknown-features-warn usersync \
       multilib-strict preserve-libs parallel-install -ebuild-locks binpkg-multi-instance -buildpkg-live splitdebug compressdebug"

diff --git a/profiles/pentoo/base/profile.bashrc b/profiles/pentoo/base/profile.bashrc
@@ -16,24 +16,6 @@ if [[ $CATEGORY/$PN-${PVR} == sys-fs/e2fsprogs-1.47.1 ]]; then export MAKEOPTS="
 #bug
 if [[ $CATEGORY/$PN == sys-boot/os-prober ]] ; then FEATURES=${FEATURES/multilib-strict/} ; fi
 
-#let's speed up the cracker's default cflags a bit. this bloats the binaries but speeds improve
-if [[ $CATEGORY/$PN == net-wireless/aircrack-ng ]]; then
-    export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"
-    export CXXFLAGS="${CXXFLAGS} -Werror=strict-aliasing -flto"
-fi
-if [[ $CATEGORY/$PN == app-crypt/asleap ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-if [[ $CATEGORY/$PN == app-crypt/hashcat ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-if [[ $CATEGORY/$PN == app-crypt/johntheripper ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-if [[ $CATEGORY/$PN == app-crypt/johntheripper-jumbo ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-if [[ $CATEGORY/$PN == dev-libs/pocl ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-if [[ $CATEGORY/$PN == net-wireless/cowpatty ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-if [[ $CATEGORY/$PN =~ net-wireless/soapy* ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; export CXXFLAGS="${CXXFLAGS} -Werror=strict-aliasing -flto"; fi
-
-#speaking of, why not build gcc fast like the crackers
-if [[ $CATEGORY/$PN == sys-devel/gcc ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-if [[ $CATEGORY/$PN == sys-devel/binutils ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-if [[ $CATEGORY/$PN == sys-libs/binutils-libs ]]; then export CFLAGS="${CFLAGS} -Werror=strict-aliasing -flto"; fi
-
 #are you kidding me?
 if [[ $CATEGORY/$PN == net-misc/openssh ]]; then export OPENSSH_EOL_USE_FLAGS_I_KNOW_WHAT_I_AM_DOING=yes; fi
 
@@ -47,6 +29,59 @@ if [[ $CATEGORY/$PN == dev-lang/rust ]]; then
   CFLAGS=${CFLAGS/-ggdb/} CXXFLAGS=${CXXFLAGS/-ggdb/}
 fi
 
+#some packages break on LTO and should all have bugs
+if [[ ${CATEGORY}/${PN} == app-crypt/mit-krb5 ]]; then
+  export CFLAGS="${CFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-python/numpy ]]; then
+  export CFLAGS="${CFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-video/mplayer ]]; then
+  export CFLAGS="${CFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == net-wireless/bluez ]]; then
+  # Tests fail with -flto
+  export CFLAGS="${CFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == sys-apps/util-linux ]]; then
+  export CFLAGS="${CFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == sys-devel/binutils ]]; then
+  export CFLAGS="${CFLAGS/-flto/}"
+  # zero uses extra warnings to find bugs
+  export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
+fi
+if [[ ${CATEGORY}/${PN} == www-client/chromium ]]; then
+  export CFLAGS="${CFLAGS/-flto/}"
+  export CXXFLAGS="${CXXFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == dev-qt/qtnetwork ]]; then
+  export CXXFLAGS="${CXXFLAGS/-flto/}"
+  # zero uses extra warnings to find bugs
+  export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}"
+fi
+if [[ ${CATEGORY}/${PN} == kde-plasma/kwayland ]]; then
+  export CXXFLAGS="${CXXFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-gfx/geeqie ]]; then
+  export CXXFLAGS="${CXXFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/mesa ]]; then
+  export CXXFLAGS="${CXXFLAGS/-flto/}"
+  # zero uses extra warnings to find bugs
+  export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}"
+fi
+if [[ ${CATEGORY}/${PN} == media-libs/x265 ]]; then
+  export CXXFLAGS="${CXXFLAGS/-flto/}"
+fi
+if [[ ${CATEGORY}/${PN} == net-ftp/filezilla ]]; then
+  export CXXFLAGS="${CXXFLAGS/-flto/}"
+fi
+# FFLAGS
+if [[ ${CATEGORY}/${PN} == dev-python/scipy ]]; then
+  export FFLAGS="${FFLAGS/-flto/}"
+fi
+
 #Sign kernel modules, stolen unmodified on 20200514 from:
 #https://wiki.gentoo.org/wiki/Signed_kernel_module_support
 function pre_pkg_preinst() {

diff --git a/profiles/pentoo/zero-system/make.defaults b/profiles/pentoo/zero-system/make.defaults
@@ -10,12 +10,13 @@ FEATURES="sign"
 ECHANGELOG_USER="Rick Farina <[email protected]>"
 DCO_SIGNED_OFF_BY="Rick Farina <[email protected]>"
 
-CFLAGS="${CFLAGS} -flto -Werror=strict-aliasing -Werror=odr -Werror=lto-type-mismatch -Wstringop-overread -Werror=stringop-overread"
-#CFLAGS="${CFLAGS} -Werror=format-security"
+CFLAGS="${CFLAGS} -Werror=strict-aliasing -Werror=odr -Werror=lto-type-mismatch -Werror=stringop-overread -Werror=format-security"
 CXXFLAGS="${CFLAGS}"
 FCFLAGS="${CFLAGS}"
 FFLAGS="${CFLAGS}"
 
+MAKEOPTS="--shuffle"
+
 PORTAGE_NICENESS="19"
 
 DISTDIR=/usr/portage/distfiles
diff --git a/profiles/pentoo/zero-system/profile.bashrc b/profiles/pentoo/zero-system/profile.bashrc
@@ -13,8 +13,6 @@ fi
 # Packages that need shuffle disabled
 if [[ ${CATEGORY}/${PN} == www-client/chromium ]]; then
   export MAKEOPTS="${MAKEOPTS} --shuffle=none"
-  export CFLAGS="${CFLAGS/-flto/}"
-  export CXXFLAGS="${CXXFLAGS/-flto/}"
 fi
 if [[ ${CATEGORY}/${PN} == app-containers/containerd ]]; then
   export MAKEOPTS="${MAKEOPTS} --shuffle=none"
@@ -30,9 +28,6 @@ fi
 
 # These packages need lto or similar disabled
 # CFLAGS
-if [[ ${CATEGORY}/${PN} == app-crypt/mit-krb5 ]]; then
-  export CFLAGS="${CFLAGS/-flto/}"
-fi
 if [[ ${CATEGORY}/${PN} == app-text/texlive-core ]]; then
   export CFLAGS="${CFLAGS/-Werror=lto-type-mismatch/}"
   export CFLAGS="${CFLAGS/-Werror=strict-aliasing/}"
@@ -52,9 +47,6 @@ fi
 if [[ ${CATEGORY}/${PN} == dev-libs/libtecla ]]; then
   export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
 fi
-if [[ ${CATEGORY}/${PN} == dev-python/numpy ]]; then
-  export CFLAGS="${CFLAGS/-flto/}"
-fi
 if [[ ${CATEGORY}/${PN} == dev-python/protobuf-python ]]; then
   export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
 fi
@@ -82,9 +74,6 @@ fi
 if [[ ${CATEGORY}/${PN} == media-libs/opus ]]; then
   export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
 fi
-if [[ ${CATEGORY}/${PN} == media-video/mplayer ]]; then
-  export CFLAGS="${CFLAGS/-flto/}"
-fi
 if [[ ${CATEGORY}/${PN} == media-video/vlc ]]; then
   export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
   export CFLAGS="${CFLAGS/-Werror=strict-aliasing/}"
@@ -111,20 +100,9 @@ fi
 if [[ ${CATEGORY}/${PN} == net-misc/vde ]]; then
   export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
 fi
-if [[ ${CATEGORY}/${PN} == net-wireless/bluez ]]; then
-  # Tests fail with -flto
-  export CFLAGS="${CFLAGS/-flto/}"
-fi
 if [[ ${CATEGORY}/${PN} == net-wireless/bladerf ]]; then
   export CFLAGS="${CFLAGS/-Werror=lto-type-mismatch/}"
 fi
-if [[ ${CATEGORY}/${PN} == sys-apps/util-linux ]]; then
-  export CFLAGS="${CFLAGS/-flto/}"
-fi
-if [[ ${CATEGORY}/${PN} == sys-devel/binutils ]]; then
-  export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
-  export CFLAGS="${CFLAGS/-flto/}"
-fi
 if [[ ${CATEGORY}/${PN} == sys-cluster/openmpi ]]; then
   export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
   export CFLAGS="${CFLAGS/-Werror=lto-type-mismatch/}"
@@ -162,10 +140,6 @@ fi
 if [[ ${CATEGORY}/${PN} == dev-qt/qtwebengine ]]; then
   export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}"
 fi
-if [[ ${CATEGORY}/${PN} == dev-qt/qtnetwork ]]; then
-  export CXXFLAGS="${CXXFLAGS/-flto/}"
-  export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}"
-fi
 if [[ ${CATEGORY}/${PN} == dev-util/android-tools ]]; then
   export CFLAGS="${CFLAGS/-Werror=stringop-overread/}"
   export CXXFLAGS="${CXXFLAGS/-Werror=strict-aliasing/}"
@@ -190,36 +164,20 @@ fi
 if [[ ${CATEGORY}/${PN} == kde-frameworks/khtml ]]; then
   export CXXFLAGS="${CXXFLAGS/-Werror=odr/}"
 fi
-if [[ ${CATEGORY}/${PN} == kde-plasma/kwayland ]]; then
-  export CXXFLAGS="${CXXFLAGS/-flto/}"
-fi
 if [[ ${CATEGORY}/${PN} == kde-plasma/plasma-desktop ]]; then
   export CXXFLAGS="${CXXFLAGS/-Werror=odr/}"
   export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}"
 fi
 if [[ ${CATEGORY}/${PN} == kde-plasma/plasma-vault ]]; then
   export CXXFLAGS="${CXXFLAGS/-Werror=odr/}"
 fi
-if [[ ${CATEGORY}/${PN} == media-gfx/geeqie ]]; then
-  export CXXFLAGS="${CXXFLAGS/-flto/}"
-fi
-if [[ ${CATEGORY}/${PN} == media-libs/mesa ]]; then
-  export CXXFLAGS="${CXXFLAGS/-flto/}"
-  export CXXFLAGS="${CXXFLAGS/-Werror=stringop-overread/}"
-fi
-if [[ ${CATEGORY}/${PN} == media-libs/x265 ]]; then
-  export CXXFLAGS="${CXXFLAGS/-flto/}"
-fi
 if [[ ${CATEGORY}/${PN} == media-sound/audacity ]]; then
   export CXXFLAGS="${CXXFLAGS/-Werror=strict-aliasing/}"
   export CXXFLAGS="${CXXFLAGS/-Werror=odr/}"
 fi
 if [[ ${CATEGORY}/${PN} == net-analyzer/gspoof ]]; then
   export CXXFLAGS="${CXXFLAGS/-Werror=lto-type-mismatch/}"
 fi
-if [[ ${CATEGORY}/${PN} == net-ftp/filezilla ]]; then
-  export CXXFLAGS="${CXXFLAGS/-flto/}"
-fi
 if [[ ${CATEGORY}/${PN} == net-wireless/gnuradio ]]; then
   # https://github.com/gnuradio/gnuradio/issues/7056
   export CXXFLAGS="${CXXFLAGS/-Werror=odr/}"
@@ -236,10 +194,6 @@ fi
 if [[ ${CATEGORY}/${PN} == sys-devel/llvm ]]; then
   export CXXFLAGS="${CXXFLAGS/-Werror=odr/}"
 fi
-# FFLAGS
-if [[ ${CATEGORY}/${PN} == dev-python/scipy ]]; then
-  export FFLAGS="${FFLAGS/-flto/}"
-fi
 
 #GCC14 Hardening Relaxations
 if [[ ${CATEGORY}/${PN} == sys-libs/efivar ]]; then