Fedora 31 Plans To Use GCC Security Hardening Flags By Default

Fedora 31 will likely be enabling various GCC security hardening flags by default in trying to further enhance the security of the software in its repositories and those building software on their own Fedora systems.

While Fedora generally leads the way with low-level innovations to the Linux stack thanks to Red Hat, in this case they are a bit behind the ball for enabling these GCC security hardening flags. In fact, the flags they are planning to use by default are already the defaults on Ubuntu.

With Fedora 31 they would enable "-Wformat -Wformat-security -fstack-protector-strong" flags by default for checking printf/scanf calls to ensure a proper format string is specified and conversions are correct, warning about possible security problems for the formatted printing, and additional stack protector protections.

Fedora's build system already enables some security-related flags by default but this change would patch GCC to enable the functionality by default for all software built by GCC (assuming the opposite flags aren't set) to ensure all software being built on the Fedora 31 compiler would receive these hardening benefits.

Details on this planned change for Fedora 31 is outlined via this change proposal.