Bug 138228

Summary: [bsd.port.mk] [exp-run] New opt-in knob to compile ports with SSP
Product: Ports & Packages Reporter: Jeremie Le Hen <jeremie>
Component: Individual Port(s)Assignee: Bryan Drewery <bdrewery>
Status: Closed FIXED    
Severity: Affects Only Me CC: jeremie
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
perl_512_ssp_diff.txt
none
ports_WITH_SSP.diff
none
ports_WITH_SSP.diff none

Description Jeremie Le Hen 2009-08-27 08:30:02 UTC
	The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
	will add -fstack-protector to CFLAGS.  I've chosen this name to
	not conflict with WITH_SSP that affects src/ build.

	This is a great win in term of security and follows the trail
	of FreeBSD-8.0 which is now compiled with SSP (opt-out).

	Although most of the ports build smoothly with this knob turned on,
	few of them won't build out of the box.  With kan@'s recent change
	to put SSP symbols in libssp_static.a instead of libc,
	-fstack-protector must be provided explicitely at link time.
	lang/perl-5.* for instance have to be slightly modified to be built
	with SSP as it does not pay attention to LDFLAGS.
	You will find another patch attached for lang/perl* as well.

	I don't have the power and time necessary to test and fix every
	ports, but given this is an opt-in I think we could live with this
	and let patches trickle in the ports tree.

--- WITH_SSP_PORTS.patch begins here ---
Index: Mk/bsd.port.mk
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/Mk/bsd.port.mk,v
retrieving revision 1.626
diff -u -p -u -r1.626 bsd.port.mk
--- Mk/bsd.port.mk	22 Aug 2009 19:32:48 -0000	1.626
+++ Mk/bsd.port.mk	26 Aug 2009 22:33:25 -0000
@@ -1629,6 +1629,12 @@ CFLAGS:=	${CFLAGS:C/${_CPUCFLAGS}//}
 .endif
 .endif
 
+.if defined(WITH_SSP_PORTS)
+SSP_FLAGS?=		-fstack-protector
+CFLAGS:=		${CFLAGS} ${SSP_FLAGS}
+LDFLAGS:=		${LDFLAGS} -fstack-protector
+.endif
+
 .if defined(WITH_DEBUG) && !defined(WITHOUT_DEBUG)
 STRIP=	#none
 STRIP_CMD=	${TRUE}
--- WITH_SSP_PORTS.patch ends here ---

--- WITH_SSP_PORTS_lang_perl.patch begins here ---
Index: lang/perl5.10/Makefile
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.10/Makefile,v
retrieving revision 1.112
diff -u -p -u -r1.112 Makefile
--- lang/perl5.10/Makefile	6 Jul 2009 12:16:07 -0000	1.112
+++ lang/perl5.10/Makefile	26 Aug 2009 22:26:43 -0000
@@ -86,6 +86,10 @@ STRIP_CMD=	${TRUE}
 CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
 .endif
 
+.if defined(WITH_SSP_PORTS)
+CONFIGURE_ARGS+=        -A append:ldflags=-fstack-protector
+.endif
+
 .if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
 CONFIGURE_ARGS+=	-Dd_dosuid=define
 PLIST_SUB+=		SUIDPERL=""
Index: lang/perl5.8/Makefile
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.8/Makefile,v
retrieving revision 1.108
diff -u -p -u -r1.108 Makefile
--- lang/perl5.8/Makefile	7 Aug 2009 11:03:10 -0000	1.108
+++ lang/perl5.8/Makefile	26 Aug 2009 22:26:52 -0000
@@ -89,6 +89,10 @@ STRIP_CMD=	${TRUE}
 CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
 .endif
 
+.if defined(WITH_SSP_PORTS)
+CONFIGURE_ARGS+=        -A append:ldflags=-fstack-protector
+.endif
+
 .if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
 CONFIGURE_ARGS+=	-Dd_dosuid=define
 PLIST_SUB+=		SUIDPERL=""
--- WITH_SSP_PORTS_lang_perl.patch ends here ---
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2009-08-27 08:58:50 UTC
Responsible Changed
From-To: freebsd-ports-bugs->portmgr

will require -exp run. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138228 

Date: Sat, 31 Jul 2010 10:04:44 +0200
Comment 2 Mark Linimon 2010-07-31 15:13:03 UTC
On Sat, Jul 31, 2010 at 10:04:44AM +0200, Jeremie Le Hen wrote:
> There are clearly a lot of ports broken by this commit, but I think it
> would be overly difficult to find and fix them all before committing this.
[...]
> I know there is no branch in ports/ as in src/ to test new features, but
> certainly you have already been faced to such a problem in the past.
> How did you manage this?

Our solution to the problem of changes that affect bsd.port.mk and thus
many ports, is to do a 'test build' across the entire ports tree to find
errors before committing.  Too many people automatically update ports to
allow a lot of ports to be broken.  This system is not perfect, but until
we get more resources*, it's the best one we have.

mcl

* I am working hard on getting us more horsepower for -exp runs.
Comment 3 b. f. 2010-08-11 22:04:59 UTC
It would be nice to see SSP finally available in the vanilla ports
tree, several years after it was enabled by default in the base
system.  I should explicitly note, since it isn't mentioned here, that
this is architecture-dependent:  SSP is not enabled in the base system
for ia64, arm, or mips (see bsd.sys.mk); and also that the results of
any tests will vary by architecture: for example, because of
differences in the implementation details, more ports are likely to
fail with these changes on i386 than on amd64. Also, any tests should
determine whether SSP was actually enabled in the resulting packages,
by examining the binaries, and not just whether the ports can be
built, installed, and packaged.

...

>+.if defined(WITH_SSP_PORTS)
>+SSP_FLAGS?= -fstack-protector
>+CFLAGS:= ${CFLAGS} ${SSP_FLAGS}
>+LDFLAGS:= ${LDFLAGS} -fstack-protector

Shouldn't this last line be:

+LDFLAGS:= ${LDFLAGS}${SSP_FLAGS}

The current line, with "-fstack-protector" hard-coded, seems to defeat
the purpose of SSP_FLAGS.

With regard to the perl* patches:  the use of  append:ldflags is
expedient (here again, though, SSP_CFLAGS should be appended, and not
-fstack-protector), but it does not fully address the real problem --
that these ports do not respect LDFLAGS.  They should be patched so
that they do, because we will need this not only for SSP, but also if
we are to introduce the wider use of alternative compilers and
toolchains from ports, or the use of flags like -fwhopr, -flto*, or
--as-needed, which can yield substantial benefits.  Making all ports
respect LDFLAGS is better than adding a bunch of ad hoc patches just
for SSP, which will then have to be extended later anyway.

Regards,
                 b.
Comment 4 b. f. 2010-08-11 22:36:03 UTC
> With regard to the perl* patches:  the use of  append:ldflags is
> expedient (here again, though, SSP_CFLAGS should be appended, and not
> -fstack-protector), but it does not fully address the real problem --
> that these ports do not respect LDFLAGS.  They should be patched so
> that they do, because we will need this not only for SSP, but also if
> we are to introduce the wider use of alternative compilers and
> toolchains from ports, or the use of flags like -fwhopr, -flto*, or
> --as-needed, which can yield substantial benefits.  Making all ports
> respect LDFLAGS is better than adding a bunch of ad hoc patches just
> for SSP, which will then have to be extended later anyway.

As an example, I patched lang/perl5.12 (hurriedly, and some time ago,
so you should check whether all of the changes were necessary) to do
this.  Patch attached.  Changes needed for the other versions of perl
ought to be similar.

b.
Comment 5 swell.k 2011-01-05 12:22:29 UTC
> The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
> will add -fstack-protector to CFLAGS. I've chosen this name to
> not conflict with WITH_SSP that affects src/ build.

Why different name for FLAGS, i.e. SSP_FLAGS vs. SSP_CFLAGS ? There are
ports that use bsd.{prog,lib}.mk in the tree. With your patch they'd
only respect WITH_SSP.
Comment 6 Bryan Drewery freebsd_committer freebsd_triage 2013-03-21 21:42:17 UTC
Responsible Changed
From-To: portmgr->bdrewery

take
Comment 7 dfilter service freebsd_committer freebsd_triage 2013-06-12 22:12:18 UTC
Author: jlh
Date: Wed Jun 12 21:12:05 2013
New Revision: 251668
URL: http://svnweb.freebsd.org/changeset/base/251668

Log:
  Turn libc.so into an ld script rather than a symlink pointing to the
  real shared object and libssp_nonshared.a.
  
  This was the last showstopper that prevented from enabling SSP for ports
  by default.  portmgr@ performed a buildworld which showed no significant
  breakage with this patch.
  
  Details:
  
  On i386 for PIC objects, gcc uses the __stack_chk_fail_local hidden
  symbol instead of calling __stack_chk_fail directly [1].  This happen
  not only with our gcc-4.2.1 but also with the latest gcc-4.8.  If you
  want the very nasty details, see [2].
  
  OTOH the problem doesn't exist on other architectures.  It also doesn't
  exist with Clang as the latter will somehow manage to create the
  function in the object file at compile time (contrary to only
  referencing it through a symbol that will be brought in at link time).
  
  In a perfect world, when an object file is compiled with
  -fstack-protector, it will be linked into a binary or a DSO with this
  same flag as well, so GCC will add libssp_nonshared.a to the linker
  command-line.  Unfortunately, we don't control softwares in ports and we
  may have such broken DSO.  This is the whole point of this patch.
  
  You can reproduce the problem on i386 by compiling a source file into an
  object file with "-fstack-protector-all -fPIE" and linking it
  into a binary without "-fstack-protector".
  
  This ld script automatically proposes libssp_nonshared.a along with the
  real libc DSO to the linker.  It is important to understand that the
  object file contained in this library will be pulled in the resulting
  binary _only if_ the linker notices one of its symbols is needed (i.e.
  one of the SSP symbol is missing).
  
  A theorical performance impact could be when compiling, but my testing
  showed less than 0.1% of difference.
  
  [1] For 32-bit code gcc saves the PIC register setup by using
      __stack_chk_fail_local hidden function instead of calling
      __stack_chk_fail directly.  See comment line 19460 in:
      src/contrib/gcc/config/i386/i386.c
  
  [2] When compiling a source file to an object file, if you use something
      which is external to the compilation unit, GCC doesn't know yet if
      this symbol will be inside or outside the DSO.  So it expects the
      worst case and routes the symbol through the GOT, which means
      additional space and extra relocation for rtld(1).
  
      Declaring a symbol has hidden tells GCC to use the optimal route (no
      GOT), but on the other hand this means the symbol has to be provided
      in the same DSO (namely libssp_nonshared.a).
  
      On i386, GCC actually uses an hidden symbol for SSP in PIC objects
      to save PIC register setup, as said in [1].
  
  PR:		ports/138228
  PR:		ports/168010
  Reviewed by:	kib, kan

Added:
  head/lib/libc/libc.ldscript   (contents, props changed)
Modified:
  head/lib/libc/Makefile

Modified: head/lib/libc/Makefile
==============================================================================
--- head/lib/libc/Makefile	Wed Jun 12 20:11:49 2013	(r251667)
+++ head/lib/libc/Makefile	Wed Jun 12 21:12:05 2013	(r251668)
@@ -23,6 +23,7 @@ LIBC_ARCH=${MACHINE_CPUARCH}
 # to CFLAGS below.  -DSYSLIBC_SCCS affects just the system call stubs.
 LIB=c
 SHLIB_MAJOR= 7
+SHLIB_LDSCRIPT=libc.ldscript
 WARNS?=	2
 CFLAGS+=-I${.CURDIR}/include -I${.CURDIR}/../../include
 CFLAGS+=-I${.CURDIR}/${LIBC_ARCH}

Added: head/lib/libc/libc.ldscript
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/lib/libc/libc.ldscript	Wed Jun 12 21:12:05 2013	(r251668)
@@ -0,0 +1,2 @@
+/* $FreeBSD$ */
+GROUP ( @@SHLIB@@ @@LIBDIR@@/libssp_nonshared.a )
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
Comment 8 Jeremie Le Hen freebsd_committer freebsd_triage 2013-08-15 10:10:25 UTC
On Wed, Jan 05, 2011 at 03:22:29PM +0300, Anonymous wrote:
> > The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
> > will add -fstack-protector to CFLAGS. I've chosen this name to
> > not conflict with WITH_SSP that affects src/ build.
> 
> Why different name for FLAGS, i.e. SSP_FLAGS vs. SSP_CFLAGS ? There are
> ports that use bsd.{prog,lib}.mk in the tree. With your patch they'd
> only respect WITH_SSP.

Here is an updated patch, taking into account the recents changes in the
base system (which help a lot).  You can scratch all the previous
patches in this PR.

The knobs are now the same as in the base system.

Bryan, can you please do an exp-run with it?

Cheers,
-- 
Jeremie Le Hen

Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.
Comment 9 Jeremie Le Hen freebsd_committer freebsd_triage 2013-08-15 10:36:09 UTC
On Thu, Aug 15, 2013 at 11:10:25AM +0200, Jeremie Le Hen wrote:
> 
> Bryan, can you please do an exp-run with it?

Updated without a typo.  Note that the output on the GNAT web interface
is mangled, but indentation is correct.

-- 
Jeremie Le Hen

Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.
Comment 10 Bryan Drewery freebsd_committer freebsd_triage 2013-08-15 12:48:54 UTC
On 8/15/2013 4:10 AM, Jeremie Le Hen wrote:
> On Wed, Jan 05, 2011 at 03:22:29PM +0300, Anonymous wrote:
>>> The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
>>> will add -fstack-protector to CFLAGS. I've chosen this name to
>>> not conflict with WITH_SSP that affects src/ build.
>>
>> Why different name for FLAGS, i.e. SSP_FLAGS vs. SSP_CFLAGS ? There are
>> ports that use bsd.{prog,lib}.mk in the tree. With your patch they'd
>> only respect WITH_SSP.
> 
> Here is an updated patch, taking into account the recents changes in the
> base system (which help a lot).  You can scratch all the previous
> patches in this PR.
> 
> The knobs are now the same as in the base system.
> 
> Bryan, can you please do an exp-run with it?
> 
> Cheers,
> 


Will do this week. Thanks!

-- 
Regards,
Bryan Drewery
Comment 11 Jeremie Le Hen freebsd_committer freebsd_triage 2013-08-17 08:58:02 UTC
On Thu, Aug 15, 2013 at 06:48:54AM -0500, Bryan Drewery wrote:
> On 8/15/2013 4:10 AM, Jeremie Le Hen wrote:
> > On Wed, Jan 05, 2011 at 03:22:29PM +0300, Anonymous wrote:
> >>> The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
> >>> will add -fstack-protector to CFLAGS. I've chosen this name to
> >>> not conflict with WITH_SSP that affects src/ build.
> >>
> >> Why different name for FLAGS, i.e. SSP_FLAGS vs. SSP_CFLAGS ? There are
> >> ports that use bsd.{prog,lib}.mk in the tree. With your patch they'd
> >> only respect WITH_SSP.
> > 
> > Here is an updated patch, taking into account the recents changes in the
> > base system (which help a lot).  You can scratch all the previous
> > patches in this PR.
> > 
> > The knobs are now the same as in the base system.
> > 
> > Bryan, can you please do an exp-run with it?
> > 
> > Cheers,
> > 
> 
> Will do this week. Thanks!

There's another problem in the patch: s/fi/endif/

for i in seq 100; do
    echo I should test my patches before submitting them.
done

-- 
Jeremie Le Hen

Scientists say the world is made up of Protons, Neutrons and Electrons.
They forgot to mention Morons.
Comment 12 Bryan Drewery freebsd_committer freebsd_triage 2013-09-20 13:55:09 UTC
State Changed
From-To: open->closed

WITH_SSP committed!
Comment 13 dfilter service freebsd_committer freebsd_triage 2013-09-20 13:55:17 UTC
Author: bdrewery
Date: Fri Sep 20 12:54:54 2013
New Revision: 327697
URL: http://svnweb.freebsd.org/changeset/ports/327697

Log:
  SSP support has been added to ports with WITH_SSP for i386 and amd64
  on FreeBSD 10, and amd64 on earlier versions.
  
  SSP_UNSAFE is added to disable in a port if it fails to build, but
  this should only be used in rare circumstances such as kernel modules.
  Otherwise, the port may just be failing due to lack of respecting
  LDFLAGS.
  
  On FreeBSD 10, this uses an ldscript in /usr/lib/libc.so to pull in
  libssp_nonshared.a to address issues linking on i386 [1].
  
  On earlier FreeBSD versions the WITH_SSP knob will add -lssp_nonshared
  to LDFLAGS on i386. This is not needed on amd64. However, several hundred
  ports do not currently respect LDFLAGS, so this support is disabled currently
  as it causes build failures if a dependency is looking for the stack_chk
  symbols.
  
  Many thanks to jlh@ for this as he had many years of patience in getting
  all of the necessary pieces [1][2] in.
  
  [1] http://svnweb.freebsd.org/base/head/lib/libc/libc.ldscript?revision=251668&view=markup
  
  PR:		ports/138228 [2]
  Submitted by:	jlh (bsd.ssp.mk based on)
  Reviewed by:	bapt
  With hat:	portmgr
  exp-runs done:	37 over a month on 91i386,91amd64,10i386,10amd64

Added:
  head/Mk/bsd.ssp.mk   (contents, props changed)
Modified:
  head/CHANGES
  head/Mk/bsd.port.mk
  head/UPDATING
  head/audio/csound/Makefile
  head/audio/emu10kx/Makefile
  head/audio/oss/Makefile
  head/comms/uarduno/Makefile
  head/comms/uartlirc/Makefile
  head/devel/libtecla/Makefile
  head/devel/mingw32-gcc/Makefile
  head/dns/c-ares/Makefile
  head/editors/emacs21/Makefile
  head/emulators/kqemu-kmod-devel/Makefile
  head/emulators/kqemu-kmod/Makefile
  head/emulators/open-vm-tools/Makefile
  head/emulators/parallels-tools/Makefile
  head/emulators/rtc/Makefile
  head/ftp/curl-hiphop/Makefile
  head/ftp/curl/Makefile
  head/games/gtkradiant/Makefile
  head/graphics/kix-kmod/Makefile
  head/graphics/plasma-kmod/Makefile
  head/lang/gcc/Makefile
  head/lang/gcc34/Makefile
  head/lang/gcc42/Makefile
  head/lang/gcc44/Makefile
  head/lang/gcc46/Makefile
  head/lang/gcc47/Makefile
  head/lang/gcc48/Makefile
  head/lang/gcc49/Makefile
  head/lang/libobjc2/Makefile
  head/lang/ocaml/Makefile
  head/misc/dahdi-kmod/Makefile
  head/misc/dahdi-kmod26/Makefile
  head/multimedia/cuse4bsd-kmod/Makefile
  head/multimedia/cx88/Makefile
  head/multimedia/linux_dvbwrapper-kmod/Makefile
  head/multimedia/ptx-kmod/Makefile
  head/multimedia/pwcbsd/Makefile
  head/net-mgmt/netams/Makefile
  head/net/aoe/Makefile
  head/net/etherboot/Makefile
  head/net/iet/Makefile
  head/net/ng_daphne/Makefile
  head/net/ng_mikrotik_eoip/Makefile
  head/net/skyfish/Makefile
  head/net/userfw/Makefile
  head/print/acroreadwrapper/Makefile
  head/security/quantis-kmod/Makefile
  head/sysutils/acpi_call/Makefile
  head/sysutils/biosfont/Makefile
  head/sysutils/fusefs-kmod/Makefile
  head/sysutils/graid5/Makefile
  head/sysutils/grub2/Makefile
  head/sysutils/mono-kmod/Makefile
  head/sysutils/pefs-kmod/Makefile
  head/sysutils/pmap/Makefile
  head/sysutils/scprotect/Makefile
  head/sysutils/vordog/Makefile
  head/x11/nvidia-driver/Makefile

Modified: head/CHANGES
==============================================================================
--- head/CHANGES	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/CHANGES	Fri Sep 20 12:54:54 2013	(r327697)
@@ -10,6 +10,28 @@ in the release notes and/or placed into 
 
 All ports committers are allowed to commit to this file.
 
+20130920:
+AUTHOR: bdrewery@FreeBSD.org
+
+  SSP support has been added to ports with WITH_SSP for i386 and amd64
+  on FreeBSD 10, and amd64 on earlier versions.
+
+  SSP_UNSAFE is added to disable in a port if it fails to build, but
+  this should only be used in rare circumstances such as kernel modules.
+  Otherwise, the port may just be failing due to lack of respecting
+  LDFLAGS.
+
+  On FreeBSD 10, this uses an ldscript in /usr/lib/libc.so to pull in
+  libssp_nonshared.a to address issues linking on i386 [1].
+  
+  On earlier FreeBSD versions the WITH_SSP knob will add -lssp_nonshared
+  to LDFLAGS on i386. This is not needed on amd64. However, several hundred
+  ports do not currently respect LDFLAGS, so this support is disabled currently
+  as it causes build failures if a dependency is looking for the stack_chk
+  symbols.
+
+  [1] http://svnweb.freebsd.org/base/head/lib/libc/libc.ldscript?revision=251668&view=markup
+
 20130919:
 AUTHOR: gahr@FreeBSD.org
 

Modified: head/Mk/bsd.port.mk
==============================================================================
--- head/Mk/bsd.port.mk	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/Mk/bsd.port.mk	Fri Sep 20 12:54:54 2013	(r327697)
@@ -301,6 +301,13 @@ FreeBSD_MAINTAINER=	portmgr@FreeBSD.org
 #                         passed to the compiler by setting DEBUG_FLAGS. It is
 #                         set to "-g" at default.
 #
+# WITH_SSP		- If set, SSP_FLAGS (defaults to -fstack-protector)
+#				  is added to CFLAGS and the necessary flags
+#				  are added to LDFLAGS. Note that SSP_UNSAFE
+#				  can be used in Makefiles by port maintainers
+#				  if a port breaks with it (it should be
+#				  extremely rare).
+#
 # USE_BZIP2		- If set, this port tarballs use bzip2, not gzip, for
 #				  compression.
 # USE_LHA		- If set, this port distfile uses lha for compression
@@ -1563,6 +1570,10 @@ DEBUG_FLAGS?=	-g
 CFLAGS:=		${CFLAGS:N-O*:N-fno-strict*} ${DEBUG_FLAGS}
 .endif
 
+.if defined(WITH_SSP)
+.include "${PORTSDIR}/Mk/bsd.ssp.mk"
+.endif
+
 .if defined(NOPORTDOCS)
 PLIST_SUB+=		PORTDOCS="@comment "
 .else

Added: head/Mk/bsd.ssp.mk
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/Mk/bsd.ssp.mk	Fri Sep 20 12:54:54 2013	(r327697)
@@ -0,0 +1,30 @@
+# $FreeBSD$
+# SSP Support
+
+SSP_Include_MAINTAINER=	portmgr@FreeBSD.org
+
+# See: http://svnweb.freebsd.org/base/head/lib/libc/libc.ldscript?revision=251668&view=markup
+.if ${OSVERSION} < 1000036 && ${ARCH} == i386
+
+# Disabled on i386 for now on releases without the ldscript as too many ports
+# do not respect LDFLAGS and fail to build due to not adding in -lssp_nonshared when needed
+# despite dependencies working fine, which breaks a lot. Can enable once LDFLAGS is more
+# supported. XXX
+SSP_UNSAFE=		yes
+
+# i386 needs -lssp_nonshared, see svn link above for more information
+SSP_NEED_NONSHARED=	yes
+.endif
+
+.if defined(WITH_SSP) && !defined(WITHOUT_SSP) && !defined(SSP_UNSAFE) && \
+    (${ARCH} == i386 || ${ARCH} == amd64)
+# Overridable as a user may want to use -fstack-protector-all
+SSP_CFLAGS?=	-fstack-protector
+CFLAGS:=	${CFLAGS} ${SSP_CFLAGS}
+LDFLAGS:=	${LDFLAGS} -fstack-protector
+# -lssp_nonshared is needed on i386 where /usr/lib/libc.so is not an ldscript
+# This is currently unused XXX
+.	if defined(SSP_NEED_NONSHARED)
+LDFLAGS:=	${LDFLAGS} -lssp_nonshared
+.	endif
+.endif

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/UPDATING	Fri Sep 20 12:54:54 2013	(r327697)
@@ -5,6 +5,30 @@ they are unavoidable.
 You should get into the habit of checking this file for changes each time
 you update your ports collection, before attempting any port upgrades.
 
+20130920:
+  AFFECTS: Users of ports
+  AUTHOR: bdrewery@FreeBSD.org
+
+  Optional Stack Protector [1] support has been added with the WITH_SSP
+  knob.
+
+  This currently is only supported on FreeBSD 10 amd64/i386 and earlier
+  releases on amd64 only.
+
+  The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all
+  may optionally be set instead.
+
+  To enable support, add WITH_SSP=yes to your make.conf and rebuild all
+  ports.
+
+  # portmaster -af
+
+  or
+
+  # portupgrade -af
+
+  [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
+
 20130904:
   AFFECTS: 10-CURRENT users with any port depending on converters/libiconv
   AUTHOR: madpilot@FreeBSD.org

Modified: head/audio/csound/Makefile
==============================================================================
--- head/audio/csound/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/audio/csound/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -35,6 +35,7 @@ FLTK_DESC=	Build FLTK plugin and GUI
 
 CONFLICTS_INSTALL=	outguess-*
 
+SSP_UNSAFE=	yes
 USE_PYTHON=	2.6+
 USES=		bison gettext
 USE_SCONS=	yes

Modified: head/audio/emu10kx/Makefile
==============================================================================
--- head/audio/emu10kx/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/audio/emu10kx/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# Ports collection makefile for: emu10kx
-# Date created:  7 Aug 2005
-# Whom: michaels@sdf.lonestar.org
-#
+# Created by: michaels@sdf.lonestar.org
 # $FreeBSD$
-#
 
 PORTNAME=	emu10kx
 PORTVERSION=	20051021
@@ -17,6 +13,7 @@ COMMENT=	SBLive!, Audigy, and Audigy2 dr
 USE_BZIP2=	yes
 
 NO_PACKAGE=	should be recompiled for a particular FreeBSD kernel
+SSP_UNSAFE=	kernel module does not support ssp
 
 MAN8=	emuctrl.8
 PLIST_FILES=	sbin/emuctrl etc/rc.d/emuctrl.sh

Modified: head/audio/oss/Makefile
==============================================================================
--- head/audio/oss/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/audio/oss/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -14,6 +14,7 @@ LICENSE=	BSD
 
 BUILD_DEPENDS=	gawk:${PORTSDIR}/lang/gawk
 
+SSP_UNSAFE=	kernel module does not support ssp
 USE_BZIP2=	yes
 ALL_TARGET=	all install
 USE_GNOME=	gtk20

Modified: head/comms/uarduno/Makefile
==============================================================================
--- head/comms/uarduno/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/comms/uarduno/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -11,6 +11,8 @@ COMMENT=	FreeBSD Kernel Driver for the A
 
 NO_PACKAGE=	You must (re)build this port with your kernel source
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 # need to enforce installation into kernel module directory
 MAKE_ENV+=	KMODDIR=${KMODDIR}
 PREFIX=		${KMODDIR}

Modified: head/comms/uartlirc/Makefile
==============================================================================
--- head/comms/uartlirc/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/comms/uartlirc/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:	uarlirc
-# Date created:				Sun May 13 17:39:40 CEST 2012
-# Whom:					nox@FreeBSD.org
-#
+# Created by: nox@FreeBSD.org
 # $FreeBSD$
-#
 
 PORTNAME=	uartlirc
 PORTVERSION=	0.3
@@ -17,6 +13,8 @@ EXTRACT_SUFX=	.shar
 MAINTAINER=	nox@FreeBSD.org
 COMMENT=	Driver for "homebrew" serial LIRC receivers
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 WRKSRC=		${WRKDIR}/${PORTNAME}
 EXTRACT_CMD=	${SH}
 EXTRACT_BEFORE_ARGS=

Modified: head/devel/libtecla/Makefile
==============================================================================
--- head/devel/libtecla/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/devel/libtecla/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,10 +1,5 @@
-# ex:ts=8
-# New ports collection makefile for:	libtecla
-# Date created:		Feb 12, 2001
-# Whom:			Ying-Chieh Liao <ijliao@FreeBSD.org>
-#
+# Created by: Ying-Chieh Liao <ijliao@FreeBSD.org>
 # $FreeBSD$
-#
 
 PORTNAME=	libtecla
 PORTVERSION=	1.6.2
@@ -25,6 +20,7 @@ SCRIPTS_ENV=	WRKDIRPREFIX="${WRKDIRPREFI
 		REALCURDIR="${.CURDIR}" \
 		PORTNAME="${PORTNAME}"
 MAKE_JOBS_UNSAFE=	yes
+SSP_UNSAFE=	yes
 
 .include <bsd.port.pre.mk>
 

Modified: head/devel/mingw32-gcc/Makefile
==============================================================================
--- head/devel/mingw32-gcc/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/devel/mingw32-gcc/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -20,6 +20,8 @@ LIB_DEPENDS=	gmp:${PORTSDIR}/math/gmp \
 
 GCCVERSION=	4.7.2
 
+SSP_UNSAFE=	yes
+
 ONLY_FOR_ARCHS=	amd64 i386 powerpc powerpc64 sparc64
 USE_LDCONFIG=	yes
 USES=		bison iconv gmake perl5

Modified: head/dns/c-ares/Makefile
==============================================================================
--- head/dns/c-ares/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/dns/c-ares/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -13,6 +13,8 @@ COMMENT=	An asynchronous DNS resolver li
 
 LICENSE=	MIT
 
+SSP_UNSAFE=	Refuses -l in LDFLAGS
+
 OPTIONS_DEFINE=		CONFIG_INFO DEBUG HIDE_SYMBOLS OPTIMIZED_CFLAGS
 OPTIONS_DEFAULT=	CONFIG_INFO HIDE_SYMBOLS
 

Modified: head/editors/emacs21/Makefile
==============================================================================
--- head/editors/emacs21/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/editors/emacs21/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -21,6 +21,8 @@ CONFLICTS=	emacs-19.* emacs-22.* emacs-2
 		xemacs-[0-9]* xemacs-devel-[0-9]* \
 		xemacs-mule-[0-9]* xemacs-devel-mule-[0-9]*
 
+SSP_UNSAFE=	yes
+
 .if !defined(WITHOUT_X11)
 LIB_DEPENDS=	Xaw3d:${PORTSDIR}/x11-toolkits/Xaw3d \
 		jpeg.11:${PORTSDIR}/graphics/jpeg \

Modified: head/emulators/kqemu-kmod-devel/Makefile
==============================================================================
--- head/emulators/kqemu-kmod-devel/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/emulators/kqemu-kmod-devel/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -19,6 +19,8 @@ COMMENT=	Kernel Accelerator for QEMU CPU
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/COPYING
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 ONLY_FOR_ARCHS=	i386 amd64
 HAS_CONFIGURE=	yes
 USE_GMAKE=	yes

Modified: head/emulators/kqemu-kmod/Makefile
==============================================================================
--- head/emulators/kqemu-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/emulators/kqemu-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -19,6 +19,8 @@ COMMENT=	Kernel Accelerator for QEMU CPU
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/COPYING
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 ONLY_FOR_ARCHS=	i386 amd64
 HAS_CONFIGURE=	yes
 USE_GMAKE=	yes

Modified: head/emulators/open-vm-tools/Makefile
==============================================================================
--- head/emulators/open-vm-tools/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/emulators/open-vm-tools/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -24,6 +24,8 @@ USES=			pkgconfig
 USE_LDCONFIG=		yes
 CPPFLAGS+=		-Wno-deprecated-declarations
 
+SSP_UNSAFE=		kernel module does not support ssp
+
 CONFIGURE_ARGS+=	--without-procps --sysconfdir=${LOCALBASE}/etc
 .if defined(WITHOUT_X11)
 LIB_DEPENDS+=		glib-2.0:${PORTSDIR}/devel/glib20

Modified: head/emulators/parallels-tools/Makefile
==============================================================================
--- head/emulators/parallels-tools/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/emulators/parallels-tools/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:	parallels-tools
-# Date created:		14 Jun 2009
-# Whom:			Alexander Nedotsukov <bland@FreeBSD.org>
-#
+# Created by: Alexander Nedotsukov <bland@FreeBSD.org>
 # $FreeBSD$
-#
 
 PORTNAME=	parallels-tools
 PORTVERSION=	0.1.1
@@ -14,6 +10,7 @@ MASTER_SITE_SUBDIR=	bland
 MAINTAINER=	bland@FreeBSD.org
 COMMENT=	Parallels Desktop Tools for FreeBSD
 
+SSP_UNSAFE=	kernel module does not support ssp
 USE_BZIP2=	yes
 
 ONLY_FOR_ARCHS=	amd64 i386

Modified: head/emulators/rtc/Makefile
==============================================================================
--- head/emulators/rtc/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/emulators/rtc/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:	rtc
-# Date created:		28 March 2000
-# Whom:			Akinori MUSHA aka knu <knu@idaemons.org>
-#
+# Created by: Akinori MUSHA aka knu <knu@idaemons.org>
 # $FreeBSD$
-#
 
 PORTNAME=	rtc
 PORTVERSION=	2004.02.24.1
@@ -17,6 +13,7 @@ COMMENT=	Kernel module which provides /d
 
 WRKSRC=		${WRKDIR}/files
 
+SSP_UNSAFE=	kernel module does not support ssp
 NO_FETCH=	yes
 USE_LINUX=	yes	# because of ${DEVDIR}
 

Modified: head/ftp/curl-hiphop/Makefile
==============================================================================
--- head/ftp/curl-hiphop/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/ftp/curl-hiphop/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,15 +1,13 @@
-# New ports collection makefile for:	curl-hiphop
-# Date created:		16 July 2012
-# Whom:			Martin Matuska <mm@FreeBSd.org>
-#
+# Created by: Martin Matuska <mm@FreeBSD.org>
 # $FreeBSD$
-#
 
 PKGNAMESUFFIX=	-hiphop
 
 MAINTAINER=	mm@FreeBSD.org
 COMMENT=	Static libcurl with custom patches for HipHop
 
+SSP_UNSAFE=	Refuses -l in LDFLAGS
+
 BUILDING_HIPHOP=	yes
 
 HIPHOP_DIR=	share/hiphop-php

Modified: head/ftp/curl/Makefile
==============================================================================
--- head/ftp/curl/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/ftp/curl/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -14,6 +14,8 @@ COMMENT?=	Non-interactive tool to get fi
 
 LICENSE=	MIT
 
+SSP_UNSAFE=	Refuses -l in LDFLAGS
+
 OPTIONS_DEFINE=	CA_BUNDLE COOKIES CURL_DEBUG DEBUG DOCS EXAMPLES GSSAPI IDN IPV6 LDAP LDAPS LIBSSH2 NTLM PROXY RTMP SPNEGO TLS_SRP
 OPTIONS_RADIO=	RESOLV SSL
 OPTIONS_RADIO_RESOLV=	CARES THREADED_RESOLVER

Modified: head/games/gtkradiant/Makefile
==============================================================================
--- head/games/gtkradiant/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/games/gtkradiant/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -20,6 +20,7 @@ LIB_DEPENDS=	libgtkglext-x11-1.0.so:${PO
 		libmhash.so:${PORTSDIR}/security/mhash \
 		libpng15.so:${PORTSDIR}/graphics/png
 
+SSP_UNSAFE=	yes
 USES=		pkgconfig
 USE_ZIP=	yes
 USE_GNOME=	gtk20 libxml2

Modified: head/graphics/kix-kmod/Makefile
==============================================================================
--- head/graphics/kix-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/graphics/kix-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:	kix-kmod
-# Date created:				4 January 2003
-# Whom:					Jonathan Belson <jon@witchspace.com>
-#
+# Created by: Jonathan Belson <jon@witchspace.com>
 # $FreeBSD$
-#
 
 PORTNAME=       kix
 PORTVERSION=	1.0
@@ -16,6 +12,8 @@ PKGNAMESUFFIX=	-kmod
 MAINTAINER=	jon@witchspace.com
 COMMENT=	A graphical screensaver kernel module
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 .include <bsd.port.pre.mk>
 
 SYSDIR?=	${SRC_BASE}/sys

Modified: head/graphics/plasma-kmod/Makefile
==============================================================================
--- head/graphics/plasma-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/graphics/plasma-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:	plasma-kmod
-# Date created:				24 January 2001
-# Whom:					George Reid <greid@ukug.uk.freebsd.org>
-#
+# Created by: George Reid <greid@ukug.uk.freebsd.org>
 # $FreeBSD$
-#
 
 PORTNAME=	plasma
 PORTVERSION=	0.1
@@ -17,6 +13,8 @@ COMMENT=	A plasma-effect screensaver ker
 
 LICENSE=	BSD
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 .include <bsd.port.pre.mk>
 
 .if !exists(${SRC_BASE}/sys/dev/syscons/syscons.h)

Modified: head/lang/gcc/Makefile
==============================================================================
--- head/lang/gcc/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/gcc/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -32,6 +32,7 @@ USES=		bison gmake iconv perl5
 USE_BINUTILS=	yes
 USE_BZIP2=	yes
 USE_PERL5=	build
+SSP_UNSAFE=	yes
 
 PATCH_WRKSRC=	${SRCDIR}
 CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure

Modified: head/lang/gcc34/Makefile
==============================================================================
--- head/lang/gcc34/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/gcc34/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -21,6 +21,7 @@ LATEST_LINK=	gcc${SUFFIX}${PKGNAMESUFFIX
 USES=		bison gmake iconv perl5
 USE_BZIP2=	yes
 USE_PERL=	build
+SSP_UNSAFE=	yes
 
 PATCH_WRKSRC=	${SRCDIR}
 CONFIGURE_SCRIPT=	../${SRCDIR:C/${WRKDIR}//}/configure

Modified: head/lang/gcc42/Makefile
==============================================================================
--- head/lang/gcc42/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/gcc42/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -27,6 +27,7 @@ USES=		bison gmake iconv perl5
 USE_BZIP2=	yes
 USE_CSTD=	gnu89
 USE_PERL5=	build
+SSP_UNSAFE=	yes
 
 PATCH_WRKSRC=	${SRCDIR}
 CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure

Modified: head/lang/gcc44/Makefile
==============================================================================
--- head/lang/gcc44/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/gcc44/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -25,6 +25,7 @@ USE_BINUTILS=	yes
 USES=		bison gmake iconv perl5
 USE_BZIP2=	yes
 USE_PERL5=	build
+SSP_UNSAFE=	yes
 
 PATCH_WRKSRC=	${SRCDIR}
 CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure

Modified: head/lang/gcc46/Makefile
==============================================================================
--- head/lang/gcc46/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/gcc46/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -34,6 +34,7 @@ USES=		bison gmake iconv perl5
 USE_BINUTILS=	yes
 USE_BZIP2=	yes
 USE_PERL5=	build
+SSP_UNSAFE=	yes
 
 PATCH_WRKSRC=	${SRCDIR}
 CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure

Modified: head/lang/gcc47/Makefile
==============================================================================
--- head/lang/gcc47/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/gcc47/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -33,6 +33,7 @@ USES=		bison gmake iconv perl5
 USE_BINUTILS=	yes
 USE_BZIP2=	yes
 USE_PERL5=	build
+SSP_UNSAFE=	yes
 
 PATCH_WRKSRC=	${SRCDIR}
 CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure

Modified: head/lang/gcc48/Makefile
==============================================================================
--- head/lang/gcc48/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/gcc48/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -33,6 +33,7 @@ USES=		bison gmake iconv perl5
 USE_BINUTILS=	yes
 USE_BZIP2=	yes
 USE_PERL5=	build
+SSP_UNSAFE=	yes
 
 PATCH_WRKSRC=	${SRCDIR}
 CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure

Modified: head/lang/gcc49/Makefile
==============================================================================
--- head/lang/gcc49/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/gcc49/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -33,6 +33,7 @@ USES=		gmake iconv perl5
 USE_BINUTILS=	yes
 USE_BZIP2=	yes
 USE_PERL5=	build
+SSP_UNSAFE=	yes
 
 PATCH_WRKSRC=	${SRCDIR}
 CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure

Modified: head/lang/libobjc2/Makefile
==============================================================================
--- head/lang/libobjc2/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/libobjc2/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -9,6 +9,8 @@ MASTER_SITES=	http://download.gna.org/gn
 MAINTAINER=	theraven@FreeBSD.org
 COMMENT=	Replacement Objective-C runtime supporting modern Objective-C features
 
+SSP_UNSAFE=	yes
+
 .include <bsd.port.options.mk>
 
 USES=		cmake

Modified: head/lang/ocaml/Makefile
==============================================================================
--- head/lang/ocaml/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/lang/ocaml/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -20,6 +20,7 @@ REINPLACE_ARGS=	-i ""
 HAS_CONFIGURE=	yes
 ALL_TARGET=	world.opt
 STRIP=
+SSP_UNSAFE=	yes
 MAKE_JOBS_UNSAFE=	yes
 
 CONFIGURE_ARGS=	-verbose -prefix "${PREFIX}" -cc "${CC}" -as "${AS}" \

Modified: head/misc/dahdi-kmod/Makefile
==============================================================================
--- head/misc/dahdi-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/misc/dahdi-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# Ports collection makefile for:	dahdi
-# Date created:				3 Mar 2010
-# Whom:					Maxim Khon <fjoe@FreeBSD.org>
-#
+# Created by: Maxim Khon <fjoe@FreeBSD.org>
 # $FreeBSD$
-#
 
 PORTNAME=	dahdi-kmod
 PORTVERSION=	${DAHDI_VERSION:S/-//g}
@@ -22,6 +18,8 @@ COMMENT=	Digium/Asterisk Hardware Device
 
 RUN_DEPENDS=	${LOCALBASE}/sbin/dahdi_cfg:${PORTSDIR}/misc/dahdi
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 DAHDI_VERSION=		2.4.0-rc5
 DAHDI_TOOLS_VERSION=	2.4.0-rc1
 OSLEC_VERSION=		2.6.35.4

Modified: head/misc/dahdi-kmod26/Makefile
==============================================================================
--- head/misc/dahdi-kmod26/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/misc/dahdi-kmod26/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# Ports collection makefile for:	dahdi
-# Date created:				3 Mar 2010
-# Whom:					Maxim Khon <fjoe@FreeBSD.org>
-#
+# Created by: Maxim Khon <fjoe@FreeBSD.org>
 # $FreeBSD$
-#
 
 PORTNAME=	dahdi-kmod26
 PORTVERSION=	${DAHDI_VERSION:S/-/./g}
@@ -22,6 +18,8 @@ COMMENT=	Digium/Asterisk Hardware Device
 
 RUN_DEPENDS=	${LOCALBASE}/sbin/dahdi_cfg:${PORTSDIR}/misc/dahdi
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 DAHDI_VERSION=		2.6.1-r10738
 DAHDI_TOOLS_VERSION=	2.4.0-rc1
 OSLEC_VERSION=		2.6.35.4

Modified: head/multimedia/cuse4bsd-kmod/Makefile
==============================================================================
--- head/multimedia/cuse4bsd-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/multimedia/cuse4bsd-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -11,6 +11,7 @@ COMMENT=	Cuse4BSD character device loopb
 
 CONFLICTS=	video4bsd-kmod*
 
+SSP_UNSAFE=	kernel module does not support ssp
 USE_BZIP2=	yes
 
 KMODDIR=	/boot/modules

Modified: head/multimedia/cx88/Makefile
==============================================================================
--- head/multimedia/cx88/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/multimedia/cx88/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -18,6 +18,7 @@ KMODDIR=	/boot/modules
 PLIST_SUB+=	KMODDIR=${KMODDIR}
 MAKE_ARGS+=	LIBTUNER_LIB=${LOCALBASE}/lib/libtuner LIBTUNER_HEADER=${LOCALBASE}/include/libtuner KMODDIR=${KMODDIR}
 MAKE_JOBS_UNSAFE=	yes
+SSP_UNSAFE=	kernel module does not support ssp
 
 OPTIONS_DEFINE=	DEBUG LINUX_COMPAT HAL
 

Modified: head/multimedia/linux_dvbwrapper-kmod/Makefile
==============================================================================
--- head/multimedia/linux_dvbwrapper-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/multimedia/linux_dvbwrapper-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -10,6 +10,7 @@ DISTFILES=	# none
 MAINTAINER=	nox@FreeBSD.org
 COMMENT=	Linux compatibility layer - DVB ioctl handler
 
+SSP_UNSAFE=	kernel module does not support ssp
 ONLY_FOR_ARCHS=	i386 amd64
 
 .include <bsd.port.pre.mk>

Modified: head/multimedia/ptx-kmod/Makefile
==============================================================================
--- head/multimedia/ptx-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/multimedia/ptx-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -13,6 +13,8 @@ COMMENT=	Device driver for PT1/PT2 ISDB-
 
 LICENSE=	GPLv3
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 ONLY_FOR_ARCHS=	amd64 i386
 BUILD_WRKSRC=	${WRKSRC}/dev/ptx
 MAKE_ENV=	KMODDIR=${PREFIX}/${KMODDIR} SYSDIR=${SYSDIR}

Modified: head/multimedia/pwcbsd/Makefile
==============================================================================
--- head/multimedia/pwcbsd/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/multimedia/pwcbsd/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -15,6 +15,8 @@ COMMENT=	The Linux pwc webcam driver por
 
 CONFLICTS=	pwcview-[0-9]*
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 MAN4=		pwc.4
 
 WRKSRC=		${WRKDIR}/${PORTNAME}

Modified: head/net-mgmt/netams/Makefile
==============================================================================
--- head/net-mgmt/netams/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/net-mgmt/netams/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -12,6 +12,7 @@ COMMENT=	Network Traffic Accounting and 
 
 LIB_DEPENDS=	pcap.1:${PORTSDIR}/net/libpcap
 
+SSP_UNSAFE=	kernel module does not support ssp
 USE_SUBMAKE=	yes
 SUB_FILES=	pkg-message
 USE_RC_SUBR=	netams

Modified: head/net/aoe/Makefile
==============================================================================
--- head/net/aoe/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/net/aoe/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,13 +1,9 @@
-# Ports collection makefile for:	aoe (ATA Over Ethernet) driver
-# Date created:				22 May 2006
-# Whom:					Stacey D. Son <sds@son.org>
-#
+# Created by: Stacey D. Son <sds@son.org>
 # $FreeBSD$
-#
 
 PORTNAME=	aoe
 PORTVERSION=	1.2.0
-CATEGORIES=	net
+CATEGORIES=	net kld
 MASTER_SITES=	http://www.son.org/download/
 DISTNAME=	${PORTNAME}-freebsd-${PORTVERSION}
 
@@ -15,6 +11,7 @@ MAINTAINER=	fjoe@FreeBSD.org
 COMMENT=	FreeBSD driver for ATA over Ethernet (AoE)
 
 NO_PACKAGE=	Should be in sync with the kernel to work correctly
+SSP_UNSAFE=	kernel module does not support ssp
 
 WRKSRC=		${WRKDIR}/dev/aoe
 MAN4=		aoe.4

Modified: head/net/etherboot/Makefile
==============================================================================
--- head/net/etherboot/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/net/etherboot/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -9,6 +9,7 @@ MASTER_SITES=	SF http://etherboot.berlio
 MAINTAINER=	ambrisko@FreeBSD.org
 COMMENT=	Network boot of FreeBSD a.out/ELF kernels (improved netboot)
 
+SSP_UNSAFE=	yes
 ONLY_FOR_ARCHS=	i386
 NO_PACKAGE=	lots of configuration necessary
 

Modified: head/net/iet/Makefile
==============================================================================
--- head/net/iet/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/net/iet/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -4,7 +4,7 @@
 PORTNAME=	iet
 PORTVERSION=	1.4.20.2
 PORTREVISION=	6
-CATEGORIES=	net
+CATEGORIES=	net kld
 MASTER_SITES=	SF/iscsitarget/iscsitarget/${PORTVERSION}/
 DISTNAME=	iscsitarget-${PORTVERSION}
 
@@ -18,6 +18,7 @@ COMMENT=	The iSCSI Enterprise Target
 
 LICENSE=	GPLv2
 
+SSP_UNSAFE=	kernel module does not support ssp
 BUILD_WRKSRC=	${WRKSRC}/freebsd
 INSTALL_WRKSRC=	${BUILD_WRKSRC}
 

Modified: head/net/ng_daphne/Makefile
==============================================================================
--- head/net/ng_daphne/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/net/ng_daphne/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:	ng_daphne
-# Date created:		8 November 2003
-# Whom:			Gerasimos Dimitriadis
-#
+# Created by: Gerasimos Dimitriadis
 # $FreeBSD$
-#
 
 PORTNAME=	ng_daphne
 PORTVERSION=	1.0
@@ -15,6 +11,8 @@ MASTER_SITES=	http://newton.ee.auth.gr/n
 MAINTAINER=	gedimitr@auth.gr
 COMMENT=	A simple netgraph module for multihop ad hoc networks
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 .include <bsd.port.pre.mk>
 
 SYSDIR?=	${SRC_BASE}/sys

Modified: head/net/ng_mikrotik_eoip/Makefile
==============================================================================
--- head/net/ng_mikrotik_eoip/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/net/ng_mikrotik_eoip/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -12,6 +12,8 @@ COMMENT=	Netgraph node for Mikrotik EoIP
 
 LICENSE=	BSD
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 OPTIONS_DEFINE=	PTABLE	
 PTABLE_DESC=	Use O(1) lookup for tunnel hooks
 # This option enables usage of static pointer table to find needed decimal-named hook,

Modified: head/net/skyfish/Makefile
==============================================================================
--- head/net/skyfish/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/net/skyfish/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:   skyfish
-# Date created:        23 May 2008
-# Whom:                Nsand <nsand@sura.ru>
-#
+# Created by: Nsand <nsand@sura.ru>
 # $FreeBSD$
-#
 
 PORTNAME=	skyfish
 PORTVERSION=	0.91
@@ -13,6 +9,8 @@ MASTER_SITES=	ftp://ftp.lissyara.su/user
 MAINTAINER=	nsand@sura.ru
 COMMENT=	Grabbing TCP streams from network interface (SAT internet)
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 .include <bsd.port.pre.mk>
 
 SYSDIR?=	${SRC_BASE}/sys

Modified: head/net/userfw/Makefile
==============================================================================
--- head/net/userfw/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/net/userfw/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:   userfw
-# Date created:        10 Mar 2012
-# Whom:                Maxim Ignatenko
-#
+# Created by: Maxim Ignatenko
 # $FreeBSD$
-#
 
 PORTNAME=	userfw
 PORTVERSION=	0.1.3
@@ -17,6 +13,7 @@ COMMENT=	Modular packet filter
 
 LICENSE=	BSD
 
+SSP_UNSAFE=	kernel module does not support ssp
 USE_XZ=		yes
 USES=		cmake:outsource
 USE_LDCONFIG=	yes

Modified: head/print/acroreadwrapper/Makefile
==============================================================================
--- head/print/acroreadwrapper/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/print/acroreadwrapper/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,13 +1,9 @@
-# New ports collection makefile for:	acroreadwrapper
-# Date created:		20 February 2006
-# Whom:			hrs
-#
+# Created by: hrs
 # $FreeBSD$
-#
 
 PORTNAME=	acroreadwrapper
 PORTVERSION=	0.0.20130208
-CATEGORIES=	print
+CATEGORIES=	print kld
 MASTER_SITES=	http://people.allbsd.org/~hrs/FreeBSD/
 DISTNAME=	linux_adobe_kmod-${PORTVERSION:E}
 
@@ -18,6 +14,8 @@ LICENSE=	BSD
 
 RUN_DEPENDS=	${LOCALBASE}/lib/linux-libgtkembedmoz/libgtkembedmoz.so:${PORTSDIR}/www/linux-libgtkembedmoz
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 ONLY_FOR_ARCHS=	amd64 i386
 PLIST_FILES=	bin/acroread8 bin/acroread9 bin/acroread \
 		${KMODDIR}/linux_adobe.ko

Modified: head/security/quantis-kmod/Makefile
==============================================================================
--- head/security/quantis-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/security/quantis-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -17,6 +17,7 @@ LICENSE=	BSD GPLv2
 LICENSE_COMB=	dual
 LICENSE_FILE=	${WRKDIR}/Quantis-${DISTVERSION}/License.txt
 
+SSP_UNSAFE=	kernel module does not support ssp
 USE_ZIP=	yes
 EXTRACT_BEFORE_ARGS=	-aqo
 

Modified: head/sysutils/acpi_call/Makefile
==============================================================================
--- head/sysutils/acpi_call/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/acpi_call/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:	acpi_call
-# Date created:				15 Oct 2011
-# Whom:					Maxim Ignatenko
-#
+# Created by: Maxim Ignatenko
 # $FreeBSD$
-#
 
 PORTNAME=	acpi_call
 PORTVERSION=	1.0.1
@@ -16,6 +12,8 @@ COMMENT=	Kernel module for calling ACPI 
 
 LICENSE=	BSD
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 .include <bsd.port.pre.mk>
 
 KMODDIR?=	/boot/modules

Modified: head/sysutils/biosfont/Makefile
==============================================================================
--- head/sysutils/biosfont/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/biosfont/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -11,6 +11,8 @@ COMMENT=	Kernel module to retrieve bitma
 
 LICENSE=	BSD
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 # only platforms guraranteed to be ok, feedback/patches are welcome
 ONLY_FOR_ARCHS=	i386 amd64
 

Modified: head/sysutils/fusefs-kmod/Makefile
==============================================================================
--- head/sysutils/fusefs-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/fusefs-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -17,6 +17,8 @@ COMMENT=	Kernel module for fuse
 
 BUILD_DEPENDS=	fusefs-libs>2.4.1:${PORTSDIR}/sysutils/fusefs-libs
 
+SSP_UNSAFE=	kernel module does not support ssp
+
 USE_RC_SUBR=	fusefs
 KMODDIR?=	${PREFIX}/modules
 PLIST_SUB=	KMODDIR=${KMODDIR}

Modified: head/sysutils/graid5/Makefile
==============================================================================
--- head/sysutils/graid5/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/graid5/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection makefile for:	graid5
-# Date created:				09 Nov 2010
-# Whom:					Lev Serebryakov <lev@FreeBSD.org>
-#
+# Created by: Lev Serebryakov <lev@FreeBSD.org>
 # $FreeBSD$
-#
 
 PORTNAME=	graid5
 PORTVERSION=	${MAINVERSION}.${VERSIONDATE}
@@ -14,6 +10,7 @@ MASTER_SITES=	http://lev.serebryakov.spb
 MAINTAINER=	lev@FreeBSD.org
 COMMENT=	RAID5 geom class
 
+SSP_UNSAFE=	kernel module does not support ssp
 USE_BZIP2=	yes
 
 NO_PACKAGE=	should be recompiled for a particular FreeBSD kernel

Modified: head/sysutils/grub2/Makefile
==============================================================================
--- head/sysutils/grub2/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/grub2/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -17,6 +17,7 @@ BUILD_DEPENDS=	${LOCALBASE}/bin/flex:${P
 		help2man:${PORTSDIR}/misc/help2man
 
 CONFLICTS=	grub-0*
+SSP_UNSAFE=	yes
 USE_XZ=		yes
 USE_GCC=	yes
 USE_AUTOTOOLS=	automake aclocal autoconf

Modified: head/sysutils/mono-kmod/Makefile
==============================================================================
--- head/sysutils/mono-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/mono-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# Ports collection makefile for: mono-kmod
-# Date created:		14 April 2007
-# Whom:			bkoenig@cs.tu-berlin.de
-#
+# Created by: bkoenig@cs.tu-berlin.de
 # $FreeBSD$
-#
 
 PORTNAME=	mono-kmod
 PORTVERSION=	20070416
@@ -15,6 +11,7 @@ COMMENT=	Execute .NET applications from 
 
 ONLY_FOR_ARCHS=	i386 amd64 arm
 
+SSP_UNSAFE=	kernel module does not support ssp
 USE_BZIP2=	yes
 KMODDIR?=	/boot/modules
 SUB_FILES=	pkg-message

Modified: head/sysutils/pefs-kmod/Makefile
==============================================================================
--- head/sysutils/pefs-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/pefs-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,4 +1,4 @@
-# Created by: Gleb Kurtsou <gleb@freebsd.org>
+# Created by: Gleb Kurtsou <gleb@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=	pefs
@@ -12,6 +12,7 @@ COMMENT=	PEFS kernel level stacked crypt
 
 LICENSE=	BSD
 
+SSP_UNSAFE=	kernel module does not support ssp
 FETCH_ARGS=	-Fpr		# work around 302 redirect
 
 KMODDIR?=	/boot/modules

Modified: head/sysutils/pmap/Makefile
==============================================================================
--- head/sysutils/pmap/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/pmap/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -11,6 +11,7 @@ MASTER_SITES=	${MASTER_SITE_LOCAL:S!$!sk
 MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Detailed process memory display
 
+SSP_UNSAFE=	kernel module does not support ssp
 NO_PACKAGE=	Depends on kernel
 
 KMODDIR=	/boot/modules

Modified: head/sysutils/scprotect/Makefile
==============================================================================
--- head/sysutils/scprotect/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/scprotect/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# New ports collection Makefile for:	scprotect
-# Date created:		5 Feb 2009
-# Whom:			Denis Barov  <dindin@dindin.ru>
-#
+# Created by: Denis Barov  <dindin@dindin.ru>
 # $FreeBSD$
-#
 
 PORTNAME=	scprotect
 PORTVERSION=	20091116
@@ -14,6 +10,7 @@ MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Protect process from killing when the swap space is exhausted
 
 NO_PACKAGE=	Needs to be compiled for specific kernel
+SSP_UNSAFE=	kernel module does not support ssp
 
 KMODDIR?=	/boot/modules
 

Modified: head/sysutils/vordog/Makefile
==============================================================================
--- head/sysutils/vordog/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/sysutils/vordog/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -1,9 +1,5 @@
-# Ports collection makefile for: vordog
-# Date created: 8 July 2008
-# Whom:		Kueifeng Li <thinker@branda.to>
-#
+# Created by: Kueifeng Li <thinker@branda.to>
 # $FreeBSD$
-#
 
 PORTNAME=	vordog
 PORTVERSION=	20080708
@@ -13,6 +9,7 @@ MASTER_SITES=	http://www.assembla.com/sp
 MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Watchdog(9) driver for watchdog timer of Vortex86
 
+SSP_UNSAFE=	kernel module does not support ssp
 KMODDIR=	/boot/modules
 
 ONLY_FOR_ARCHS=	i386

Modified: head/x11/nvidia-driver/Makefile
==============================================================================
--- head/x11/nvidia-driver/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
+++ head/x11/nvidia-driver/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
@@ -27,6 +27,7 @@ LICENSE_NAME=	License For Customer Use o
 LICENSE_FILE=	${WRKSRC}/doc/license.txt
 LICENSE_PERMS=	dist-mirror no-dist-sell pkg-mirror no-pkg-sell auto-accept
 
+SSP_UNSAFE=	kernel module does not support ssp
 ARCH_SUFX=	${ARCH:S/i386//:S/amd/_/}
 USE_XORG=	xorg-server
 USE_GL=		gl
_______________________________________________
svn-ports-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-ports-all
To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"