AW: Increased SECURITY RISCS from omitting some compikler options when building PG with meson; e.g. -fcf-protection=full

From: Hans Buschmann <buschmann(at)nidsa(dot)net>
To: Peter Eisentraut <peter(at)eisentraut(dot)org>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: AW: Increased SECURITY RISCS from omitting some compikler options when building PG with meson; e.g. -fcf-protection=full
Date: 2026-07-08 10:01:32
Message-ID: 9412859e22d74f218562a535a7271a40@nidsa.net
Views: Whole Thread | Raw Message | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


Hello Peter

Thanks for your quick response.

I totally agree that it is impossible to always follow all distributions with their specific compiler flags.

But my intention was a bit different: asking for internal consistency.

For distributions the PGDG publishes binaries for (see download page) a certain selection of compiler flags are choosen.

My intention is to set these flags as defaults for self-compiling on these platforms.

Most of the flags are compiler-driven, eventually changing with a new version.

I think it is important that these compiler options are DOCUMENTED (in the binary distributions) so that they can be set or verified when self-compiling.

I think the normal user cannot handle all these compiler options, it wants to use the tested and provided standard managed by the developers.

It is clear that the global benefits of some mitigations may arrive only much later (fedora 28 ->45).

I think in the near future (APX and AVX10.2) there will be new architectural opportunities which really could target performance on newer architectures. This will require a more thoughtfull choice of compiler options..

Hans Buschmann

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Amit Kapila 2026-07-08 10:02:35 Re: [PATCH] Preserve replication origin OIDs in pg_upgrade
Previous Message shveta malik 2026-07-08 09:28:15 Re: Support EXCEPT for TABLES IN SCHEMA publications