Identify what build flags we should be using for security, and use them

added component::applications/tor browser gitlab-tb-tor-browser-build owner::tbb-team priority::medium severity::normal status::new tbb-rbm tbb-security type::defect labels

Using about:buildconfig, the browser reports compiler flags and configure arguments for our tor-browser.git builds. Are these a complete list of the compiler flags actually used? I don't know. In any case, here are the current reports:

Linux TBB 6.5:

target
x86_64-unknown-linux-gnu

Build tools
Compiler 	Version 	Compiler flags
gcc 	5.1.0 	-Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -frandom-seed=tor -std=gnu99 -fgnu89-inline -fno-strict-aliasing -fno-math-errno -pthread -pipe
c++ 	5.1.0 	-Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -frandom-seed=tor -fno-exceptions -fno-strict-aliasing -fno-rtti -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -freorder-blocks -Os -fomit-frame-pointer

Configure arguments
--enable-application=browser --enable-optimize --enable-official-branding --enable-tor-browser-update --enable-update-packaging --enable-signmar --enable-verify-mar --disable-strip --disable-install-strip --disable-tests --disable-debug --disable-maintenance-service --disable-crashreporter --disable-webrtc --disable-eme --disable-loop --with-tor-browser-version=6.5 --enable-update-channel=release --enable-bundled-fonts

Windows TBB 6.5:

target
i686-w64-mingw32

Build tools
Compiler    Version     Compiler flags
i686-w64-mingw32-gcc -mwindows  5.1.0   -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -Wno-format -std=gnu99 -fgnu89-inline -fno-strict-aliasing -mms-bitfields -mstackrealign -fno-keep-inline-dllexport -fno-math-errno -pipe
i686-w64-mingw32-g++ -mwindows  5.1.0   -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -Wno-format -fno-exceptions -fno-strict-aliasing -mms-bitfields -mstackrealign -fno-keep-inline-dllexport -fno-rtti -fno-exceptions -fno-math-errno -std=gnu++0x -pipe -DNDEBUG -DTRIMMED -g -O -fomit-frame-pointer

Configure arguments 
--enable-application=browser --target=i686-w64-mingw32 --enable-default-toolkit=cairo-windows --disable-debug --enable-optimize --enable-strip --enable-official-branding --enable-tor-browser-update --enable-update-packaging --enable-signmar --enable-verify-mar --disable-sandbox --disable-eme --disable-crashreporter --disable-maintenance-service --disable-webrtc --disable-tests --disable-loop --with-tor-browser-version=6.5 --enable-update-channel=release --enable-bundled-fonts

Mac TBB 6.5:

target
x86_64-apple-darwin

Build tools
Compiler    Version     Compiler flags
/home/debian/build/tor-browser/clang/bin/clang -target x86_64-apple-darwin10 -mlinker-version=136 -B /home/debian/build/tor-browser/cctools/bin -isysroot /home/debian/build/tor-browser/MacOSX10.7.sdk     3.8.0   -Qunused-arguments -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -std=gnu99 -fno-strict-aliasing -fno-math-errno -pthread -DNO_X11 -pipe
/home/debian/build/tor-browser/clang/bin/clang++ -target x86_64-apple-darwin10 -mlinker-version=136 -B /home/debian/build/tor-browser/cctools/bin -isysroot /home/debian/build/tor-browser/MacOSX10.7.sdk   3.8.0   -Qunused-arguments -Qunused-arguments -Wno-unused-local-typedef -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wno-inline-new-delete -Wno-unused-local-typedef -Wno-c++0x-extensions -Wno-extended-offsetof -Wno-unknown-warning-option -Wno-return-type-c-linkage -fno-exceptions -fno-strict-aliasing -fno-rtti -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -DNO_X11 -pipe -DNDEBUG -DTRIMMED -g -O3 -fomit-frame-pointer

Configure arguments 
--target=x86_64-apple-darwin --with-macos-private-frameworks=/home/debian/build/tor-browser/MacOSX10.7.sdk/System/Library/PrivateFrameworks --enable-application=browser --enable-strip --enable-official-branding --enable-optimize --disable-debug --enable-tor-browser-data-outside-app-dir --enable-tor-browser-update --enable-update-packaging --enable-signmar --enable-verify-mar --disable-crashreporter --disable-maintenance-service --disable-webrtc --disable-tests --disable-eme --disable-loop --with-tor-browser-version=6.5 --enable-update-channel=release --enable-bundled-fonts

For comparison, here are the current Firefox release build flags:

Linux Firefox 51.01

target
x86_64-pc-linux-gnu
Build tools
Compiler 	Version 	Compiler flags
/builds/slave/m-rel-l64-00000000000000000000/build/src/gcc/bin/gcc -std=gnu99 	4.8.5 	-Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=coverage-mismatch -Wno-error=free-nonheap-object -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/builds/slave/m-rel-l64-00000000000000000000/build/src/gcc/bin/g++ -std=gnu++11 	4.8.5 	-Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=coverage-mismatch -Wno-error=free-nonheap-object -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -D_GLIBCXX_USE_CXX11_ABI=0 -pipe -g -fprofile-use -fprofile-correction -Wcoverage-mismatch -O3 -fomit-frame-pointer -Werror
Configure options

MOZ_AUTOMATION=1 --enable-update-channel=release PKG_CONFIG=/builds/slave/m-rel-l64-00000000000000000000/build/src/gtk3/usr/local/bin/pkg-config --enable-js-shell --enable-default-toolkit=cairo-gtk3 --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key --with-google-api-keyfile=/builds/gapi.data MOZ_PGO=1 CC=/builds/slave/m-rel-l64-00000000000000000000/build/src/gcc/bin/gcc CXX=/builds/slave/m-rel-l64-00000000000000000000/build/src/gcc/bin/g++ --enable-rust RUSTC=/builds/slave/m-rel-l64-00000000000000000000/build/src/rustc/bin/rustc CARGO=/builds/slave/m-rel-l64-00000000000000000000/build/src/cargo/bin/cargo MAKE=/usr/bin/gmake --enable-crashreporter --enable-elf-hack --enable-official-branding --enable-release --enable-stdcxx-compat --enable-verify-mar

Windows Firefox 51.01:

target
i686-pc-mingw32

Build tools
Compiler 	Version 	Compiler flags
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/vs2015u3/VC/bin/amd64_x86/cl.EXE 	19.00.24213 	-TC -nologo -wd4091 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -FS -wd4244 -wd4267 -wd4819 -we4553
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/vs2015u3/VC/bin/amd64_x86/cl.EXE 	19.00.24213 	-TP -nologo -wd5026 -wd5027 -Zc:sizedDealloc- -Zc:threadSafeInit- -wd4091 -wd4577 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -FS -wd4251 -wd4244 -wd4267 -wd4345 -wd4351 -wd4800 -wd4819 -wd4595 -we4553 -GR- -Zi -GL -wd4624 -wd4952 -O1 -Oi -Oy

Configure options
MOZ_AUTOMATION=1 'MOZILLABUILD=C:\mozilla-build' --enable-update-channel=release --enable-js-shell --enable-eme=+adobe --with-mozilla-api-keyfile=c:/builds/mozilla-desktop-geoloc-api.key --with-google-api-keyfile=c:/builds/gapi.data MOZ_PGO=1 WINDOWSSDKDIR=c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/vs2015u3/SDK --enable-rust RUSTC=c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/rustc/bin/rustc CARGO=c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/cargo/bin/cargo --enable-jemalloc MAKE=c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/mozmake.EXE --enable-crashreporter --enable-official-branding --enable-release --enable-require-all-d3dc-versions --enable-verify-mar

Mac Firefox 51.01:

target
x86_64-apple-darwin11.2.0

Build tools
Compiler    Version     Compiler flags
/usr/local/bin/ccache /builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang -arch x86_64 -std=gnu99    3.8.0   -Qunused-arguments -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wclass-varargs -Wloop-analysis -Werror=non-literal-null-conversion -Wstring-conversion -Wthread-safety -Wno-error=deprecated-declarations -Wno-error=array-bounds -isysroot /Developer/SDKs/MacOSX10.7.sdk -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/usr/local/bin/ccache /builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang++ -arch x86_64 -std=gnu++11    3.8.0   -Qunused-arguments -Qunused-arguments -Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wloop-analysis -Wc++11-compat-pedantic -Wc++14-compat -Wc++14-compat-pedantic -Wc++1z-compat -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wthread-safety -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-unknown-warning-option -Wno-return-type-c-linkage -isysroot /Developer/SDKs/MacOSX10.7.sdk -fno-exceptions -fno-strict-aliasing -stdlib=libc++ -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -O3 -fomit-frame-pointer -Werror

Configure options 
MOZ_AUTOMATION=1 MOZ_CURRENT_PROJECT=x86_64 --target=x86_64-apple-darwin11.2.0 --enable-application=browser --enable-update-channel=release --enable-js-shell --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key --with-google-api-keyfile=/builds/gapi.data --with-ccache 'CC=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang -arch x86_64' 'CXX=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang++ -arch x86_64' HOST_CC=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang HOST_CXX=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang++ LD=ld --enable-rust RUSTC=/builds/slave/m-rel-m64-00000000000000000000/build/src/rustc/bin/rustc CARGO=/builds/slave/m-rel-m64-00000000000000000000/build/src/cargo/bin/cargo MAKE=/usr/bin/make DSYMUTIL=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/llvm-dsymutil --enable-crashreporter --enable-official-branding --enable-release --enable-verify-mar --with-macos-sdk=/Developer/SDKs/MacOSX10.7.sdk --with-unify-dist=../i386/dist

Trac:
Keywords: N/A deleted, tbb-security added

Relevant Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=620058

Trac:
Description: I think we are probably forgetting some configure/compiler/linker flags in Tor Browser that can improve security. Let's figure out what those are and add them. I would suggest child tickets for each new flag, so we can do this step by step.

to

I think we may be able to add some configure/compiler/linker flags in Tor Browser that can improve security without many downsides. Let's figure out what those are and add them. I would suggest child tickets for each new flag, so we can do this step by step.

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

-Werror=format
-Werror=format-security
-fstack-protector-strong
--param ssp-buffer-size=4
-pie -fPIE
-D_FORTIFY_SOURCE=2 -O1
-Wl,-z,relro,-z,now
-ftrapv

Note I am leaving out more advanced mitigations like -fvtable-verify=std for this iteration because getting these to work is likely to be complex.

Trac:
Description: I think we may be able to add some configure/compiler/linker flags in Tor Browser that can improve security without many downsides. Let's figure out what those are and add them. I would suggest child tickets for each new flag, so we can do this step by step.

to

I think we may be able to add some configure/compiler/linker flags in Tor Browser that can improve security without many downsides. Let's figure out what those are and add them.

Replying to arthuredelstein:

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.) {{{ -Werror=format -Werror=format-security -fstack-protector-strong --param ssp-buffer-size=4 -pie -fPIE -D_FORTIFY_SOURCE=2 -O1 -Wl,-z,relro,-z,now -ftrapv }}}

Uhm. We are doing already most of those things. Have you looked at our gitian build scripts? And I am not so sure we should build with ftrapv see comment:1:ticket:18310.

Note I am leaving out more advanced mitigations like -fvtable-verify=std for this iteration because getting these to work is likely to be complex.

That is broken and not working due to Mozilla internals, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1046600

Replying to gk:

Replying to arthuredelstein:
Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)
-Werror=format
-Werror=format-security
-fstack-protector-strong
--param ssp-buffer-size=4
-pie -fPIE
-D_FORTIFY_SOURCE=2 -O1
-Wl,-z,relro,-z,now
-ftrapv
}}}
Uhm. We are doing already most of those things. Have you looked at our gitian build scripts?

Sorry I hadn't found the existing build flags before posting this ticket. I discussed with gk what is already in our build scripts.

On linux, we have in gitian/descriptors/linux/gitian-firefox.yml: {{{ export DEB_BUILD_HARDENING=1 export DEB_BUILD_HARDENING_STACKPROTECTOR=1 export DEB_BUILD_HARDENING_FORTIFY=1 export DEB_BUILD_HARDENING_FORMAT=1 export DEB_BUILD_HARDENING_PIE=1


  Indeed this covers most of the flags I mentioned. I'm not sure about `-Wl,-z,relro,-z,now`. gk, do you know how these are covered? boklm pointed me to [a part of the Tor Browser test suite](https://gitweb.torproject.org/boklm/tor-browser-bundle-testsuite.git/tree/TBBTestSuite/TestSuite/BrowserBundleTests.pm#n45) that seems to indicate that full relro is applied. Is that correct?

  I think it would be useful also to somehow confirm that we are now using -fstack-protector-strong and not -fstack-protector; I will try to investigate that.

* On Windows, we have in [gitian/build-helpers/i686-w64-mingw32-g++](https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/build-helpers/i686-w64-mingw32-g++):

/home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-buffer-size=4 -fno-strict-overflow "$@"

  I'm not familiar with Windows/mingw build flags, but it looks like we could possibly switch to -fstack-protector-strong. Also I wonder if -D_FORTIFY_SOURCE=2 and the relro flags make sense.

* On Mac, we are adding -fPIE to the clang flags in [gitian/descriptors/mac/gitian-firefox.yml](https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/descriptors/mac/gitian-firefox.yml#n43). clang largely supports gcc's build flags so I think we could probably add most or all of the flags from comment:6 to the build. (I tried all of those flags with clang++ while building a "hello world" c++ program and confirmed that clang++ at least did not complain that any of the flags were unknown.)

> And I am not so sure we should build with `ftrapv` see comment:1:ticket:18310.

That's interesting. I'm not sure what the right answer is. RCE seems a lot worse than DOS, though.

> > Note I am leaving out more advanced mitigations like -fvtable-verify=std for this iteration because getting these to work is likely to be complex.
> 
> That is broken and not working due to Mozilla internals, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1046600

I read in [Tice et al 2014](https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-tice.pdf) that there is a mechanism in the VTV code to "whitelist" some parts of the code that would otherwise fail verification. I wonder if that feature is deployed in the gcc VTV implementation and could be used to get around the problematic vtable hacking Nathan Froyd [mentions in the Mozilla bug](https://bugzilla.mozilla.org/show_bug.cgi?id=1046600#c2). Similarly, clang's -fsanitize has an option to["blacklist"](https://clang.llvm.org/docs/ControlFlowIntegrity.html#forward-edge-cfi-for-virtual-calls) certain functions so that they also don't fail verification.

Something else that occurs to me is it would be nice to document our hardening flags for each build (hardened, alpha, release) in the Tor Browser design document.

Replying to arthuredelstein:

Replying to gk:

Replying to arthuredelstein:

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.) {{{ -Werror=format -Werror=format-security -fstack-protector-strong --param ssp-buffer-size=4 -pie -fPIE -D_FORTIFY_SOURCE=2 -O1 -Wl,-z,relro,-z,now -ftrapv }}}

Uhm. We are doing already most of those things. Have you looked at our gitian build scripts?

Sorry I hadn't found the existing build flags before posting this ticket. I discussed with gk what is already in our build scripts.

On linux, we have in gitian/descriptors/linux/gitian-firefox.yml: {{{ export DEB_BUILD_HARDENING=1 export DEB_BUILD_HARDENING_STACKPROTECTOR=1 export DEB_BUILD_HARDENING_FORTIFY=1 export DEB_BUILD_HARDENING_FORMAT=1 export DEB_BUILD_HARDENING_PIE=1 }}}

Indeed this covers most of the flags I mentioned. I'm not sure about -Wl,-z,relro,-z,now. gk, do you know how these are covered? boklm pointed me to a part of the Tor Browser test suite that seems to indicate that full relro is applied. Is that correct?

Yes, full relro is applied. I think we get the flags you mentioned by export DEB_BUILD_HARDENING=1. The other *HARDENING flags should not be needed. I opened #21565 (moved) for the clean-up.

[snip]

And I am not so sure we should build with ftrapv see comment:1:ticket:18310.

That's interesting. I'm not sure what the right answer is. RCE seems a lot worse than DOS, though.

-ftrapv is not the only means we apply to Tor Browser. A useful exercise would be to understand for which cases -ftrapv would be needed given all our other hardening flags.

[snip]

Something else that occurs to me is it would be nice to document our hardening flags for each build (hardened, alpha, release) in the Tor Browser design document.

True. I've opened #21566 (moved).

hardening-wrapper is obsolete and has been removed from unstable. Please use dpkg-buildflags as explained above. https://wiki.debian.org/Hardening#hardening-wrapper hardening-check can only check the resulting binaries and thus might not catch missing hardening flags if they are only missing in a few places. blhc is a small parser written in Perl which checks the build logs for missing hardening flags. It can be used on build logs created by dpkg-buildpackage or buildd. http://ruderich.org/simon/blhc/

For comparison, here are the current Firefox release build flags: For comparison we need ESR52 build options, both 32-bit and 64-bit for every OS. What about official MinGW builds?

I'm not familiar with Windows/mingw build flags, but it looks like we could possibly switch to -fstack-protector-strong. All occurrences of -fstack-protector --param ssp-buffer-size=4 should be replaced with at least -fstack-protector=strong. http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/ For those who want to protect all the functions then -fstack-protector-all is recommended. https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_STACKPROTECTOR_.28gcc.2Fg.2B-.2B--fstack-protector-strong.29 Also I wonder if -D_FORTIFY_SOURCE=2 and the relro flags make sense. -D_FORTIFY_SOURCE=2 -O1 is a Compile-time protection against static sized buffer overflows. No known regressions or performance loss. This should be enabled system-wide. https://wiki.debian.org/Hardening#gcc-D_FORTIFY_SOURCE.3D2_-O1

Some info about using -Os: https://stackoverflow.com/questions/19470873/why-does-gcc-generate-15-20-faster-code-if-i-optimize-for-size-instead-of-speed?rq=1

About integer overflow checking, -ftrapv in particular: Research: https://people.csail.mit.edu/nickolai/papers/wang-stack-tocs.pdf -ftrapv is not the best option: https://stackoverflow.com/questions/20851061/how-to-make-gcc-ftrapv-work#20851708 Practical usage: https://danluu.com/integer-overflow/

#8491 (moved) seems to be a dupe.

A comment from #8491 (moved) noted:

UBSan for the libraries that need it would also be valuable, especially image and TLS libraries.

Closing #8491 (moved) as duplicate as this one has a more detailed discussion.

After a lot of experimentation, I opened #23024 (moved) and #23025 (moved) to add some extra hardening flags for Windows and Mac respectively. In the meantime I also found several promising flags didn't work after all:

Windows (mingw cross-compile):

-z,relro,-z,now fails (is there an equivalent flag for Windows binaries?)
Werror=format throws errors (around uses of %lld)
-fstack-protector-strong didn't build; in #23024 (moved) I propose trying -fstack-protector-all instead.

macOS (clang-based cross compile):

-z,relro,-z,now fails (is there an equivalent flag for Mac binaries?)

Replying to arthuredelstein: During your investigations Mozilla suddenly started to harden Firefox :0. So this looks like the third part of Tor Patch Uplifting project (next to FPI and fingerprinting). (Mark their tickets accordingly ;)

-z,relro,-z,now fails (is there an equivalent flag for Windows binaries?) This is how it works on Windows by default, no equivalents required. -Wl,-z,relro,-z,now when "Options passed to the compiler when linking executables or shared objects" or -z relro -z now "if the linker is called directly". relro - "Create an ELF PT_GNU_RELRO segment header in the object." (i.e. Linux only) This is https://bugzilla.mozilla.org/show_bug.cgi?id=1359912 (and dependencies!) now - Don't use Linux-only lazy binding This is https://bugzilla.mozilla.org/show_bug.cgi?id=1359918

Werror=format throws errors (around uses of %lld) Mozilla uses -Wno-format, because "# We use mix of both POSIX and Win32 printf format across the tree, so format warnings are useless on mingw." But, suddenly, https://bugzilla.mozilla.org/show_bug.cgi?id=1359915

-fstack-protector-strong didn't build; in #23024 (moved) I propose trying -fstack-protector-all instead. This is https://bugzilla.mozilla.org/show_bug.cgi?id=620058, but have you noticed https://bugzilla.mozilla.org/show_bug.cgi?id=1359905? -fstack-protector-all is better for security.

Also see https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/descriptors/windows/gitian-utils.yml#n129 and below... (What's up with https://bugzilla.mozilla.org/show_bug.cgi?id=1359914?)

Any thoughts about comment:10?

Tor Team is doing something similar in #22660 (moved). This is https://bugzilla.mozilla.org/show_bug.cgi?id=1374345 But -z noexecstack needs checking whether stupid linker emits execstack by default? But -Wa,--noexecstack for assembler parts makes sense. This is https://bugzilla.mozilla.org/show_bug.cgi?id=671426