From jlh@felucia.tataz.chchile.org  Thu Aug 27 07:22:00 2009
Return-Path: <jlh@felucia.tataz.chchile.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CD9DC1065696
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 27 Aug 2009 07:22:00 +0000 (UTC)
	(envelope-from jlh@felucia.tataz.chchile.org)
Received: from smtpfb2-g21.free.fr (smtpfb2-g21.free.fr [212.27.42.10])
	by mx1.freebsd.org (Postfix) with ESMTP id 3C0F48FC46
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 27 Aug 2009 07:21:58 +0000 (UTC)
Received: from smtp1-g21.free.fr (smtp1-g21.free.fr [212.27.42.1])
	by smtpfb2-g21.free.fr (Postfix) with ESMTP id 40956D1B236
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 27 Aug 2009 09:05:22 +0200 (CEST)
Received: from smtp1-g21.free.fr (localhost [127.0.0.1])
	by smtp1-g21.free.fr (Postfix) with ESMTP id 787629400BC;
	Thu, 27 Aug 2009 09:05:14 +0200 (CEST)
Received: from endor.tataz.chchile.org (tataz.chchile.org [82.233.239.98])
	by smtp1-g21.free.fr (Postfix) with ESMTP id 84CEC94007C;
	Thu, 27 Aug 2009 09:05:12 +0200 (CEST)
Received: from felucia.tataz.chchile.org (felucia.tataz.chchile.org [192.168.1.9])
	by endor.tataz.chchile.org (Postfix) with ESMTP id C399236313;
	Thu, 27 Aug 2009 07:04:37 +0000 (UTC)
Received: by felucia.tataz.chchile.org (Postfix, from userid 1000)
	id A4162A22C9; Thu, 27 Aug 2009 07:04:37 +0000 (UTC)
Message-Id: <20090827070437.A4162A22C9@felucia.tataz.chchile.org>
Date: Thu, 27 Aug 2009 07:04:37 +0000 (UTC)
From: Jeremie Le Hen <jeremie@le-hen.org>
Reply-To: Jeremie Le Hen <jeremie@le-hen.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: jeremie@le-hen.org
Subject: [ports] New opt-in knob to compile ports with SSP
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         138228
>Category:       ports
>Synopsis:       [bsd.port.mk] [exp-run] New opt-in knob to compile ports with SSP
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bdrewery
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Aug 27 07:30:02 UTC 2009
>Closed-Date:    Fri Sep 20 07:55:20 CDT 2013
>Last-Modified:  Fri Sep 20 13:00:00 UTC 2013
>Originator:     Jeremie Le Hen
>Release:        FreeBSD
>Organization:
None
>Environment:
System: FreeBSD felucia.tataz.chchile.org

>Description:
	The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
	will add -fstack-protector to CFLAGS.  I've chosen this name to
	not conflict with WITH_SSP that affects src/ build.

	This is a great win in term of security and follows the trail
	of FreeBSD-8.0 which is now compiled with SSP (opt-out).

	Although most of the ports build smoothly with this knob turned on,
	few of them won't build out of the box.  With kan@'s recent change
	to put SSP symbols in libssp_static.a instead of libc,
	-fstack-protector must be provided explicitely at link time.
	lang/perl-5.* for instance have to be slightly modified to be built
	with SSP as it does not pay attention to LDFLAGS.
	You will find another patch attached for lang/perl* as well.

	I don't have the power and time necessary to test and fix every
	ports, but given this is an opt-in I think we could live with this
	and let patches trickle in the ports tree.

--- WITH_SSP_PORTS.patch begins here ---
Index: Mk/bsd.port.mk
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/Mk/bsd.port.mk,v
retrieving revision 1.626
diff -u -p -u -r1.626 bsd.port.mk
--- Mk/bsd.port.mk	22 Aug 2009 19:32:48 -0000	1.626
+++ Mk/bsd.port.mk	26 Aug 2009 22:33:25 -0000
@@ -1629,6 +1629,12 @@ CFLAGS:=	${CFLAGS:C/${_CPUCFLAGS}//}
 .endif
 .endif
 
+.if defined(WITH_SSP_PORTS)
+SSP_FLAGS?=		-fstack-protector
+CFLAGS:=		${CFLAGS} ${SSP_FLAGS}
+LDFLAGS:=		${LDFLAGS} -fstack-protector
+.endif
+
 .if defined(WITH_DEBUG) && !defined(WITHOUT_DEBUG)
 STRIP=	#none
 STRIP_CMD=	${TRUE}
--- WITH_SSP_PORTS.patch ends here ---

--- WITH_SSP_PORTS_lang_perl.patch begins here ---
Index: lang/perl5.10/Makefile
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.10/Makefile,v
retrieving revision 1.112
diff -u -p -u -r1.112 Makefile
--- lang/perl5.10/Makefile	6 Jul 2009 12:16:07 -0000	1.112
+++ lang/perl5.10/Makefile	26 Aug 2009 22:26:43 -0000
@@ -86,6 +86,10 @@ STRIP_CMD=	${TRUE}
 CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
 .endif
 
+.if defined(WITH_SSP_PORTS)
+CONFIGURE_ARGS+=        -A append:ldflags=-fstack-protector
+.endif
+
 .if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
 CONFIGURE_ARGS+=	-Dd_dosuid=define
 PLIST_SUB+=		SUIDPERL=""
Index: lang/perl5.8/Makefile
===================================================================
RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.8/Makefile,v
retrieving revision 1.108
diff -u -p -u -r1.108 Makefile
--- lang/perl5.8/Makefile	7 Aug 2009 11:03:10 -0000	1.108
+++ lang/perl5.8/Makefile	26 Aug 2009 22:26:52 -0000
@@ -89,6 +89,10 @@ STRIP_CMD=	${TRUE}
 CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
 .endif
 
+.if defined(WITH_SSP_PORTS)
+CONFIGURE_ARGS+=        -A append:ldflags=-fstack-protector
+.endif
+
 .if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
 CONFIGURE_ARGS+=	-Dd_dosuid=define
 PLIST_SUB+=		SUIDPERL=""
--- WITH_SSP_PORTS_lang_perl.patch ends here ---


>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->portmgr 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Aug 27 07:58:50 UTC 2009 
Responsible-Changed-Why:  
will require -exp run. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138228 

Date: Sat, 31 Jul 2010 10:04:44 +0200
From: Jeremie Le Hen <jeremie@le-hen.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc: jeremie@le-hen.org, portmgr@FreeBSD.org
Subject: Re: [ports] New opt-in knob to compile ports with SSP

 --zhXaljGHf11kAtnf
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Hi,
 
 He are updated patches.  Moreover they will be downloadable directly
 from GNATS instead of inlined in the PR.
 
 This time, I've Cc'ed portsmgr@, in the hope to reach a decision on how
 to merge this.  There are clearly a lot of ports broken by this commit,
 but I think it would be overly difficult to find and fix them all before
 committing this.  On the other hand, it is a pity impede the use of the
 stack-protector for the majority of ports that already works correctly.
 
 I know there is no branch in ports/ as in src/ to test new features, but
 certainly you have already been faced to such a problem in the past.
 How did you manage this?  Is it possible for instance to add the option
 without documenting it officially, so only informed user will try it?
 
 Regards,
 -- 
 Jeremie Le Hen
 
 Humans are born free and equal.  But some are more equal than others.
 					    Coluche
 
 --zhXaljGHf11kAtnf
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="WITH_SSP_PORTS.patch"
 
 Index: Mk/bsd.port.mk
 ===================================================================
 RCS file: /mnt/repos/freebsd-cvsroot/ports/Mk/bsd.port.mk,v
 retrieving revision 1.643
 diff -u -p -u -p -r1.643 bsd.port.mk
 --- Mk/bsd.port.mk	15 Jul 2010 14:48:50 -0000	1.643
 +++ Mk/bsd.port.mk	28 Jul 2010 18:56:09 -0000
 @@ -1655,6 +1655,12 @@ CFLAGS:=	${CFLAGS:C/${_CPUCFLAGS}//}
  .endif
  .endif
  
 +.if defined(WITH_SSP_PORTS)
 +SSP_FLAGS?= -fstack-protector
 +CFLAGS:= ${CFLAGS} ${SSP_FLAGS}
 +LDFLAGS:= ${LDFLAGS} -fstack-protector
 +.endif
 +
  .if defined(WITH_DEBUG) && !defined(WITHOUT_DEBUG)
  STRIP=	#none
  STRIP_CMD=	${TRUE}
 
 --zhXaljGHf11kAtnf
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="WITH_SSP_PORTS_lang_perl.patch"
 
 Index: lang/perl5.10/Makefile
 ===================================================================
 RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.10/Makefile,v
 retrieving revision 1.121
 diff -u -p -u -p -r1.121 Makefile
 --- lang/perl5.10/Makefile	15 Jul 2010 14:48:51 -0000	1.121
 +++ lang/perl5.10/Makefile	28 Jul 2010 18:57:29 -0000
 @@ -90,6 +90,10 @@ STRIP_CMD=	${TRUE}
  CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
  .endif
  
 +.if defined(WITH_SSP_PORTS)
 +CONFIGURE_ARGS+=	-A append:ldflags=-fstack-protector
 +.endif
 +
  .if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
  CONFIGURE_ARGS+=	-Dd_dosuid=define
  PLIST_SUB+=		SUIDPERL=""
 Index: lang/perl5.12/Makefile
 ===================================================================
 RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.12/Makefile,v
 retrieving revision 1.122
 diff -u -p -u -p -r1.122 Makefile
 --- lang/perl5.12/Makefile	23 Jul 2010 17:41:03 -0000	1.122
 +++ lang/perl5.12/Makefile	28 Jul 2010 18:58:00 -0000
 @@ -88,6 +88,10 @@ STRIP_CMD=	${TRUE}
  CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
  .endif
  
 +.if defined(WITH_SSP_PORTS)
 +CONFIGURE_ARGS+=	-A append:ldflags=-fstack-protector
 +.endif
 +
  .if defined(WITH_GDBM)
  CONFIGURE_ARGS+=	-Di_gdbm
  LIB_DEPENDS+=		gdbm.3:${PORTSDIR}/databases/gdbm
 Index: lang/perl5.8/Makefile
 ===================================================================
 RCS file: /mnt/repos/freebsd-cvsroot/ports/lang/perl5.8/Makefile,v
 retrieving revision 1.111
 diff -u -p -u -p -r1.111 Makefile
 --- lang/perl5.8/Makefile	15 Jul 2010 14:48:51 -0000	1.111
 +++ lang/perl5.8/Makefile	28 Jul 2010 18:57:48 -0000
 @@ -92,6 +92,10 @@ STRIP_CMD=	${TRUE}
  CONFIGURE_ARGS+=	-Doptimize="${CFLAGS}"
  .endif
  
 +.if defined(WITH_SSP_PORTS)
 +CONFIGURE_ARGS+=	-A append:ldflags=-fstack-protector
 +.endif
 +
  .if defined(ENABLE_SUIDPERL) || defined(WITH_SUIDPERL)
  CONFIGURE_ARGS+=	-Dd_dosuid=define
  PLIST_SUB+=		SUIDPERL=""
 
 --zhXaljGHf11kAtnf
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="WITH_SSP_PORTS_databases_db41.patch"
 
 Index: Makefile
 ===================================================================
 RCS file: /mnt/repos/freebsd-cvsroot/ports/databases/db41/Makefile,v
 retrieving revision 1.65
 diff -u -p -u -p -r1.65 Makefile
 --- Makefile	13 Jun 2010 12:01:22 -0000	1.65
 +++ Makefile	28 Jul 2010 21:54:53 -0000
 @@ -32,6 +32,10 @@ CONFIGURE_ARGS=	--enable-compat185 --ena
  		--includedir=${PREFIX}/include/db41
  USE_LDCONFIG=	yes
  
 +.if defined(WITH_SSP_PORTS)
 +CONFIGURE_ENV+=	LDFLAGS=-fstack-protector
 +.endif
 +
  .if !defined(NOPORTDOCS)
  INSTALL_TARGET=	install install_docs
  PORTDOCS=	*
 
 --zhXaljGHf11kAtnf--

From: Mark Linimon <linimon@lonesome.com>
To: Jeremie Le Hen <jeremie@le-hen.org>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: Re: ports/138228: [bsd.port.mk] New opt-in knob to compile ports
	with SSP
Date: Sat, 31 Jul 2010 09:13:03 -0500

 On Sat, Jul 31, 2010 at 10:04:44AM +0200, Jeremie Le Hen wrote:
 > There are clearly a lot of ports broken by this commit, but I think it
 > would be overly difficult to find and fix them all before committing this.
 [...]
 > I know there is no branch in ports/ as in src/ to test new features, but
 > certainly you have already been faced to such a problem in the past.
 > How did you manage this?
 
 Our solution to the problem of changes that affect bsd.port.mk and thus
 many ports, is to do a 'test build' across the entire ports tree to find
 errors before committing.  Too many people automatically update ports to
 allow a lot of ports to be broken.  This system is not perfect, but until
 we get more resources*, it's the best one we have.
 
 mcl
 
 * I am working hard on getting us more horsepower for -exp runs.

From: "b. f." <bf1783@googlemail.com>
To: bug-followup@FreeBSD.org
Cc: Jeremie Le Hen <jeremie@le-hen.org>
Subject: Re: ports/138228: [bsd.port.mk] New opt-in knob to compile ports with 
	SSP
Date: Wed, 11 Aug 2010 21:04:59 +0000

 It would be nice to see SSP finally available in the vanilla ports
 tree, several years after it was enabled by default in the base
 system.  I should explicitly note, since it isn't mentioned here, that
 this is architecture-dependent:  SSP is not enabled in the base system
 for ia64, arm, or mips (see bsd.sys.mk); and also that the results of
 any tests will vary by architecture: for example, because of
 differences in the implementation details, more ports are likely to
 fail with these changes on i386 than on amd64. Also, any tests should
 determine whether SSP was actually enabled in the resulting packages,
 by examining the binaries, and not just whether the ports can be
 built, installed, and packaged.
 
 ...
 
 >+.if defined(WITH_SSP_PORTS)
 >+SSP_FLAGS?= -fstack-protector
 >+CFLAGS:= ${CFLAGS} ${SSP_FLAGS}
 >+LDFLAGS:= ${LDFLAGS} -fstack-protector
 
 Shouldn't this last line be:
 
 +LDFLAGS:= ${LDFLAGS}${SSP_FLAGS}
 
 The current line, with "-fstack-protector" hard-coded, seems to defeat
 the purpose of SSP_FLAGS.
 
 With regard to the perl* patches:  the use of  append:ldflags is
 expedient (here again, though, SSP_CFLAGS should be appended, and not
 -fstack-protector), but it does not fully address the real problem --
 that these ports do not respect LDFLAGS.  They should be patched so
 that they do, because we will need this not only for SSP, but also if
 we are to introduce the wider use of alternative compilers and
 toolchains from ports, or the use of flags like -fwhopr, -flto*, or
 --as-needed, which can yield substantial benefits.  Making all ports
 respect LDFLAGS is better than adding a bunch of ad hoc patches just
 for SSP, which will then have to be extended later anyway.
 
 Regards,
                  b.

From: "b. f." <bf1783@googlemail.com>
To: bug-followup@freebsd.org
Cc: Jeremie Le Hen <jeremie@le-hen.org>
Subject: Re: ports/138228: [bsd.port.mk] New opt-in knob to compile ports with SSP
Date: Wed, 11 Aug 2010 21:36:03 +0000

 --000e0cd519525ccbd7048d930999
 Content-Type: text/plain; charset=ISO-8859-1
 
 > With regard to the perl* patches:  the use of  append:ldflags is
 > expedient (here again, though, SSP_CFLAGS should be appended, and not
 > -fstack-protector), but it does not fully address the real problem --
 > that these ports do not respect LDFLAGS.  They should be patched so
 > that they do, because we will need this not only for SSP, but also if
 > we are to introduce the wider use of alternative compilers and
 > toolchains from ports, or the use of flags like -fwhopr, -flto*, or
 > --as-needed, which can yield substantial benefits.  Making all ports
 > respect LDFLAGS is better than adding a bunch of ad hoc patches just
 > for SSP, which will then have to be extended later anyway.
 
 As an example, I patched lang/perl5.12 (hurriedly, and some time ago,
 so you should check whether all of the changes were necessary) to do
 this.  Patch attached.  Changes needed for the other versions of perl
 ought to be similar.
 
 b.
 
 --000e0cd519525ccbd7048d930999
 Content-Type: text/plain; charset=US-ASCII; name="perl_512_ssp_diff.txt"
 Content-Disposition: attachment; filename="perl_512_ssp_diff.txt"
 Content-Transfer-Encoding: base64
 X-Attachment-Id: file0
 
 ZGlmZiAtLWV4Y2x1ZGU9J25ldy4qJyAtLWV4Y2x1ZGU9J29sZC4qJyAtcnVOIHBlcmw1LjEyLm9y
 aWcvTWFrZWZpbGUgcGVybDUuMTIvTWFrZWZpbGUKLS0tIHBlcmw1LjEyLm9yaWcvTWFrZWZpbGUJ
 MjAxMC0wOC0xMSAxNzoyMjo0NS4wMDAwMDAwMDAgLTA0MDAKKysrIHBlcmw1LjEyL01ha2VmaWxl
 CTIwMTAtMDctMjYgMTc6MTc6MzguMDAwMDAwMDAwIC0wNDAwCkBAIC01NSw3ICs1NSw4IEBACiAJ
 LURzaXRlbWFuMWRpcj0ke1BSRUZJWH0vbWFuL21hbjEgXAogCS1VaV9tYWxsb2MgLVVpX2ljb252
 IC1VaW5zdGFsbHVzcmJpbnBlcmwgXAogCS1EY2M9IiR7Q0N9IiAtRHVzZXNocnBsaWIgLURpbmNf
 dmVyc2lvbl9saXN0PW5vbmUgXAotCS1EY2NmbGFncz0tREFQUExMSUJfRVhQPVwiJHtCU0RQQU5f
 REVTVH1cIgorCS1EY2NmbGFncz0iJHtDRkxBR1M6TS1mKnN0YWNrLXByb3RlY3Rvcip9IC1EQVBQ
 TExJQl9FWFA9XCIke0JTRFBBTl9ERVNUfVwiIiBcCisJLURsZGZsYWdzPSIke0xERkxBR1N9Igog
 TE9DQUxFX0NMRUFOVVA9CUxBTkc9IiIgTENfQUxMPSIiIExDX0NPTExBVEU9IiIgTENfQ1RZUEU9
 IiIgXAogCQlMQ19NRVNTQUdFUz0iIiBMQ19NT05FVEFSWT0iIiBMQ19OVU1FUklDPSIiIFwKIAkJ
 TENfVElNRT0iIgpkaWZmIC0tZXhjbHVkZT0nbmV3LionIC0tZXhjbHVkZT0nb2xkLionIC1ydU4g
 cGVybDUuMTIub3JpZy9maWxlcy9wYXRjaC1mcmVlYnNkLnNoIHBlcmw1LjEyL2ZpbGVzL3BhdGNo
 LWZyZWVic2Quc2gKLS0tIHBlcmw1LjEyLm9yaWcvZmlsZXMvcGF0Y2gtZnJlZWJzZC5zaAkyMDEw
 LTA4LTExIDE3OjIyOjQ1LjAwMDAwMDAwMCAtMDQwMAorKysgcGVybDUuMTIvZmlsZXMvcGF0Y2gt
 ZnJlZWJzZC5zaAkyMDEwLTA3LTE2IDIxOjU1OjU0LjAwMDAwMDAwMCAtMDQwMApAQCAtMjUsMjAg
 KzI1LDExIEBACiAgICAgICAgICAgICAgbGlicHRoPSIvdXNyL2xpYiAvdXNyL2xvY2FsL2xpYiIK
 ICAgICAgICAgICAgICBnbGlicHRoPSIvdXNyL2xpYiAvdXNyL2xvY2FsL2xpYiIKIC0gICAgICAg
 ICAgICBsZGZsYWdzPSItV2wsLUUgIgotKyAgICAgICAgICAgIGxkZmxhZ3M9IiUlUFRIUkVBRF9M
 SUJTJSUgLVdsLC1FICIKKysgICAgICAgICAgICBsZGZsYWdzPSIke2xkZmxhZ3N9ICUlUFRIUkVB
 RF9MSUJTJSUgLVdsLC1FICIKICAgICAgICAgICAgICBsZGRsZmxhZ3M9Ii1zaGFyZWQgIgogICAg
 ICAgICAgZmkKICAgICAgICAgIGNjY2RsZmxhZ3M9Jy1EUElDIC1mUElDJwotQEAgLTEzMyw3ICsx
 MzksNyBAQAotICopCi0gICAgICAgIGxpYnB0aD0iL3Vzci9saWIgL3Vzci9sb2NhbC9saWIiCi0g
 ICAgICAgIGdsaWJwdGg9Ii91c3IvbGliIC91c3IvbG9jYWwvbGliIgotLSAgICAgICBsZGZsYWdz
 PSItV2wsLUUgIgotKyAgICAgICBsZGZsYWdzPSIlJVBUSFJFQURfTElCUyUlIC1XbCwtRSAiCi0g
 ICAgICAgICBsZGRsZmxhZ3M9Ii1zaGFyZWQgIgotICAgICAgICAgY2NjZGxmbGFncz0nLURQSUMg
 LWZQSUMnCi0gICAgICAgIDs7Ci1AQCAtMTQzLDcgKzE0OSw3IEBACitAQCAtMTM2LDcgKzE0Miw3
 IEBACiAgMCp8MSp8Mip8MyopIDs7CiAgCiAgKikKQEAgLTQ3LDcgKzM4LDcgQEAKICAJaWYgL3Vz
 ci9iaW4vZmlsZSAtTCAvdXNyL2xpYi9saWJjLnNvIHwgL3Vzci9iaW4vZ3JlcCAtdnEgIm5vdCBz
 dHJpcHBlZCIgOyB0aGVuCiAgCSAgICB1c2VubT1mYWxzZQogIAlmaQotQEAgLTE5MCw3ICsxOTYs
 OSBAQAorQEAgLTE4Myw3ICsxODksOSBAQAogIAogICMgVGhpcyBzY3JpcHQgVVUvdXNldGhyZWFk
 cy5jYnUgd2lsbCBnZXQgJ2NhbGxlZC1iYWNrJyBieSBDb25maWd1cmUgCiAgIyBhZnRlciBpdCBo
 YXMgcHJvbXB0ZWQgdGhlIHVzZXIgZm9yIHdoZXRoZXIgdG8gdXNlIHRocmVhZHMuCg==
 --000e0cd519525ccbd7048d930999--

From: Anonymous <swell.k@gmail.com>
To: Jeremie Le Hen <jeremie@le-hen.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: ports/138228: [bsd.port.mk] New opt-in knob to compile ports with SSP
Date: Wed, 05 Jan 2011 15:22:29 +0300

 > The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
 > will add -fstack-protector to CFLAGS. I've chosen this name to
 > not conflict with WITH_SSP that affects src/ build.
 
 Why different name for FLAGS, i.e. SSP_FLAGS vs. SSP_CFLAGS ? There are
 ports that use bsd.{prog,lib}.mk in the tree. With your patch they'd
 only respect WITH_SSP.
Responsible-Changed-From-To: portmgr->bdrewery 
Responsible-Changed-By: bdrewery 
Responsible-Changed-When: Thu Mar 21 16:42:17 CDT 2013 
Responsible-Changed-Why:  
take 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138228 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/138228: commit references a PR
Date: Wed, 12 Jun 2013 21:12:18 +0000 (UTC)

 Author: jlh
 Date: Wed Jun 12 21:12:05 2013
 New Revision: 251668
 URL: http://svnweb.freebsd.org/changeset/base/251668
 
 Log:
   Turn libc.so into an ld script rather than a symlink pointing to the
   real shared object and libssp_nonshared.a.
   
   This was the last showstopper that prevented from enabling SSP for ports
   by default.  portmgr@ performed a buildworld which showed no significant
   breakage with this patch.
   
   Details:
   
   On i386 for PIC objects, gcc uses the __stack_chk_fail_local hidden
   symbol instead of calling __stack_chk_fail directly [1].  This happen
   not only with our gcc-4.2.1 but also with the latest gcc-4.8.  If you
   want the very nasty details, see [2].
   
   OTOH the problem doesn't exist on other architectures.  It also doesn't
   exist with Clang as the latter will somehow manage to create the
   function in the object file at compile time (contrary to only
   referencing it through a symbol that will be brought in at link time).
   
   In a perfect world, when an object file is compiled with
   -fstack-protector, it will be linked into a binary or a DSO with this
   same flag as well, so GCC will add libssp_nonshared.a to the linker
   command-line.  Unfortunately, we don't control softwares in ports and we
   may have such broken DSO.  This is the whole point of this patch.
   
   You can reproduce the problem on i386 by compiling a source file into an
   object file with "-fstack-protector-all -fPIE" and linking it
   into a binary without "-fstack-protector".
   
   This ld script automatically proposes libssp_nonshared.a along with the
   real libc DSO to the linker.  It is important to understand that the
   object file contained in this library will be pulled in the resulting
   binary _only if_ the linker notices one of its symbols is needed (i.e.
   one of the SSP symbol is missing).
   
   A theorical performance impact could be when compiling, but my testing
   showed less than 0.1% of difference.
   
   [1] For 32-bit code gcc saves the PIC register setup by using
       __stack_chk_fail_local hidden function instead of calling
       __stack_chk_fail directly.  See comment line 19460 in:
       src/contrib/gcc/config/i386/i386.c
   
   [2] When compiling a source file to an object file, if you use something
       which is external to the compilation unit, GCC doesn't know yet if
       this symbol will be inside or outside the DSO.  So it expects the
       worst case and routes the symbol through the GOT, which means
       additional space and extra relocation for rtld(1).
   
       Declaring a symbol has hidden tells GCC to use the optimal route (no
       GOT), but on the other hand this means the symbol has to be provided
       in the same DSO (namely libssp_nonshared.a).
   
       On i386, GCC actually uses an hidden symbol for SSP in PIC objects
       to save PIC register setup, as said in [1].
   
   PR:		ports/138228
   PR:		ports/168010
   Reviewed by:	kib, kan
 
 Added:
   head/lib/libc/libc.ldscript   (contents, props changed)
 Modified:
   head/lib/libc/Makefile
 
 Modified: head/lib/libc/Makefile
 ==============================================================================
 --- head/lib/libc/Makefile	Wed Jun 12 20:11:49 2013	(r251667)
 +++ head/lib/libc/Makefile	Wed Jun 12 21:12:05 2013	(r251668)
 @@ -23,6 +23,7 @@ LIBC_ARCH=${MACHINE_CPUARCH}
  # to CFLAGS below.  -DSYSLIBC_SCCS affects just the system call stubs.
  LIB=c
  SHLIB_MAJOR= 7
 +SHLIB_LDSCRIPT=libc.ldscript
  WARNS?=	2
  CFLAGS+=-I${.CURDIR}/include -I${.CURDIR}/../../include
  CFLAGS+=-I${.CURDIR}/${LIBC_ARCH}
 
 Added: head/lib/libc/libc.ldscript
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/lib/libc/libc.ldscript	Wed Jun 12 21:12:05 2013	(r251668)
 @@ -0,0 +1,2 @@
 +/* $FreeBSD$ */
 +GROUP ( @@SHLIB@@ @@LIBDIR@@/libssp_nonshared.a )
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: Jeremie Le Hen <jlh@FreeBSD.org>
To: Bryan Drewery <bdrewery@FreeBSD.org>
Cc: jlh@FreeBSD.org, Anonymous <swell.k@gmail.com>,
	bug-followup@FreeBSD.org
Subject: Re: ports/138228: [bsd.port.mk] New opt-in knob to compile ports
 with SSP
Date: Thu, 15 Aug 2013 11:10:25 +0200

 --bg08WKrSYDhXBjb5
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Wed, Jan 05, 2011 at 03:22:29PM +0300, Anonymous wrote:
 > > The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
 > > will add -fstack-protector to CFLAGS. I've chosen this name to
 > > not conflict with WITH_SSP that affects src/ build.
 > 
 > Why different name for FLAGS, i.e. SSP_FLAGS vs. SSP_CFLAGS ? There are
 > ports that use bsd.{prog,lib}.mk in the tree. With your patch they'd
 > only respect WITH_SSP.
 
 Here is an updated patch, taking into account the recents changes in the
 base system (which help a lot).  You can scratch all the previous
 patches in this PR.
 
 The knobs are now the same as in the base system.
 
 Bryan, can you please do an exp-run with it?
 
 Cheers,
 -- 
 Jeremie Le Hen
 
 Scientists say the world is made up of Protons, Neutrons and Electrons.
 They forgot to mention Morons.
 
 --bg08WKrSYDhXBjb5
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="ports_WITH_SSP.diff"
 
 Index: Mk/bsd.port.mk
 ===================================================================
 --- Mk/bsd.port.mk	(revision 324742)
 +++ Mk/bsd.port.mk	(working copy)
 @@ -301,6 +301,13 @@ FreeBSD_MAINTAINER=	portmgr@FreeBSD.org
  #                         passed to the compiler by setting DEBUG_FLAGS. It is
  #                         set to "-g" at default.
  #
 +# WITH_SSP		- If set, SSP_FLAGS (defaults to -fstack-protector)
 +#				  is added to CFLAGS and the necessary flags
 +#				  are added to LDFLAGS. Note that SSP_UNSAFE
 +#				  can be used in Makefiles by port maintainers
 +#				  if a port breaks with it (it should be
 +#				  extremely rare).
 +#
  # USE_BZIP2		- If set, this port tarballs use bzip2, not gzip, for
  #				  compression.
  # USE_LHA		- If set, this port distfile uses lha for compression
 @@ -1565,6 +1572,16 @@ DEBUG_FLAGS?=	-g
  CFLAGS:=		${CFLAGS:N-O*:N-fno-strict*} ${DEBUG_FLAGS}
  .endif
  
 +.if defined(WITH_SSP) && !defined(WITHOUT_SSP) && !defined(SSP_UNSAFE)
 +SSP_CFLAGS?=	-fstack-protector
 +CFLAGS:=	${CFLAGS} ${SSP_FLAGS}
 +.if ${OSVERSION} < 1000044
 +LDFLAGS:=	${LDFLAGS} -fstack-protector -lssp_nonshared
 +.else
 +LDFLAGS:=	${LDFLAGS} -fstack-protector
 +.fi
 +.endif
 +
  .if defined(NOPORTDOCS)
  PLIST_SUB+=		PORTDOCS="@comment "
  .else
 
 --bg08WKrSYDhXBjb5--

From: Jeremie Le Hen <jlh@FreeBSD.org>
To: Bryan Drewery <bdrewery@FreeBSD.org>
Cc: jlh@FreeBSD.org, bug-followup@FreeBSD.org
Subject: Re: ports/138228: [bsd.port.mk] New opt-in knob to compile ports
 with SSP
Date: Thu, 15 Aug 2013 11:36:09 +0200

 --mYCpIKhGyMATD0i+
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 On Thu, Aug 15, 2013 at 11:10:25AM +0200, Jeremie Le Hen wrote:
 > 
 > Bryan, can you please do an exp-run with it?
 
 Updated without a typo.  Note that the output on the GNAT web interface
 is mangled, but indentation is correct.
 
 -- 
 Jeremie Le Hen
 
 Scientists say the world is made up of Protons, Neutrons and Electrons.
 They forgot to mention Morons.
 
 --mYCpIKhGyMATD0i+
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="ports_WITH_SSP.diff"
 
 Index: Mk/bsd.port.mk
 ===================================================================
 --- Mk/bsd.port.mk	(revision 324742)
 +++ Mk/bsd.port.mk	(working copy)
 @@ -301,6 +301,13 @@ FreeBSD_MAINTAINER=	portmgr@FreeBSD.org
  #                         passed to the compiler by setting DEBUG_FLAGS. It is
  #                         set to "-g" at default.
  #
 +# WITH_SSP		- If set, SSP_FLAGS (defaults to -fstack-protector)
 +#				  is added to CFLAGS and the necessary flags
 +#				  are added to LDFLAGS. Note that SSP_UNSAFE
 +#				  can be used in Makefiles by port maintainers
 +#				  if a port breaks with it (it should be
 +#				  extremely rare).
 +#
  # USE_BZIP2		- If set, this port tarballs use bzip2, not gzip, for
  #				  compression.
  # USE_LHA		- If set, this port distfile uses lha for compression
 @@ -1565,6 +1572,16 @@ DEBUG_FLAGS?=	-g
  CFLAGS:=		${CFLAGS:N-O*:N-fno-strict*} ${DEBUG_FLAGS}
  .endif
  
 +.if defined(WITH_SSP) && !defined(WITHOUT_SSP) && !defined(SSP_UNSAFE)
 +SSP_CFLAGS?=	-fstack-protector
 +CFLAGS:=	${CFLAGS} ${SSP_CFLAGS}
 +.if ${OSVERSION} < 1000044
 +LDFLAGS:=	${LDFLAGS} -fstack-protector -lssp_nonshared
 +.else
 +LDFLAGS:=	${LDFLAGS} -fstack-protector
 +.fi
 +.endif
 +
  .if defined(NOPORTDOCS)
  PLIST_SUB+=		PORTDOCS="@comment "
  .else
 
 --mYCpIKhGyMATD0i+--

From: Bryan Drewery <bdrewery@FreeBSD.org>
To: Jeremie Le Hen <jlh@FreeBSD.org>
Cc: Anonymous <swell.k@gmail.com>, bug-followup@FreeBSD.org,
        FreeBSD Ports Management Team <portmgr@FreeBSD.org>
Subject: Re: ports/138228: [bsd.port.mk] New opt-in knob to compile ports
 with SSP
Date: Thu, 15 Aug 2013 06:48:54 -0500

 This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
 --e4a6SlQS845v1L21hs4AFBq60x6WvO1Gk
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: quoted-printable
 
 On 8/15/2013 4:10 AM, Jeremie Le Hen wrote:
 > On Wed, Jan 05, 2011 at 03:22:29PM +0300, Anonymous wrote:
 >>> The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
 >>> will add -fstack-protector to CFLAGS. I've chosen this name to
 >>> not conflict with WITH_SSP that affects src/ build.
 >>
 >> Why different name for FLAGS, i.e. SSP_FLAGS vs. SSP_CFLAGS ? There ar=
 e
 >> ports that use bsd.{prog,lib}.mk in the tree. With your patch they'd
 >> only respect WITH_SSP.
 >=20
 > Here is an updated patch, taking into account the recents changes in th=
 e
 > base system (which help a lot).  You can scratch all the previous
 > patches in this PR.
 >=20
 > The knobs are now the same as in the base system.
 >=20
 > Bryan, can you please do an exp-run with it?
 >=20
 > Cheers,
 >=20
 
 Will do this week. Thanks!
 
 --=20
 Regards,
 Bryan Drewery
 
 
 --e4a6SlQS845v1L21hs4AFBq60x6WvO1Gk
 Content-Type: application/pgp-signature; name="signature.asc"
 Content-Description: OpenPGP digital signature
 Content-Disposition: attachment; filename="signature.asc"
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (MingW32)
 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
 iQIcBAEBAgAGBQJSDMAmAAoJEG54KsA8mwz5WhIQAJJBwz1046m0CXJ7j8KWjXO4
 OHBZNFVbrsAj01pyEAzNWnQJ4zyG9I+pa8txiA32UJhI6vxzOKDMOrSjkhyD248U
 duZM2FcjMsMVg6DDvwsC+simDoPfApqKtkfqu3ihhiz+rcmZcKsvGSK7juhaXyWj
 hEkbCKX0XTxUOOuvsVxO2Xp9GmQwkP6uYCzPGPzI5UmFrWT/do6bjhi2hRvdTtBu
 u8LdBtfkgpxXA5+lCHyG37oS2XizAvTO8uWk5eZC+Ou5hDFOJ4UC2KaD+WIWszm5
 J6IxsUcXJ0FTNooPfIAQ++ulmUhi1CQKXZcvnCczv7wSy7r4DHhxjugEMFxklFyW
 cTHvRDqBJ/0AOYtYm1TFIz0OmEQx/lwvovXGzxcVqufaOWCPRTvyxN/xoACPMH4D
 UGec93X55eS38ONkY17bLlQafLBzk8b2uSa1qeX/Qq2ISKZWUfqaFSOpparwy34A
 +y2RVc6deVkmXvh17ZvUTVnaPgppccHN2ElRY+zc+XedfILfCZ/dKoLL/i1cxJdG
 f/nP/sbsUlYZqnRK0HJKGhf6x47/EUEAILhOYunDULiReJEraJhshsd1s6crMn1J
 SC+ystWavr+G00rHe/BWSFxVUqqb10UlMpUMJxgWCvznPHgJNpflgkfCzdLvhpWZ
 1TNDzD9SQtGWP3Jnyd8z
 =xiM8
 -----END PGP SIGNATURE-----
 
 --e4a6SlQS845v1L21hs4AFBq60x6WvO1Gk--

From: Jeremie Le Hen <jlh@FreeBSD.org>
To: Bryan Drewery <bdrewery@FreeBSD.org>
Cc: Jeremie Le Hen <jlh@FreeBSD.org>, bug-followup@FreeBSD.org,
	FreeBSD Ports Management Team <portmgr@FreeBSD.org>
Subject: Re: ports/138228: [bsd.port.mk] New opt-in knob to compile ports
 with SSP
Date: Sat, 17 Aug 2013 09:58:02 +0200

 On Thu, Aug 15, 2013 at 06:48:54AM -0500, Bryan Drewery wrote:
 > On 8/15/2013 4:10 AM, Jeremie Le Hen wrote:
 > > On Wed, Jan 05, 2011 at 03:22:29PM +0300, Anonymous wrote:
 > >>> The first patch add a knew knob WITH_SSP_PORTS that, if enabled,
 > >>> will add -fstack-protector to CFLAGS. I've chosen this name to
 > >>> not conflict with WITH_SSP that affects src/ build.
 > >>
 > >> Why different name for FLAGS, i.e. SSP_FLAGS vs. SSP_CFLAGS ? There are
 > >> ports that use bsd.{prog,lib}.mk in the tree. With your patch they'd
 > >> only respect WITH_SSP.
 > > 
 > > Here is an updated patch, taking into account the recents changes in the
 > > base system (which help a lot).  You can scratch all the previous
 > > patches in this PR.
 > > 
 > > The knobs are now the same as in the base system.
 > > 
 > > Bryan, can you please do an exp-run with it?
 > > 
 > > Cheers,
 > > 
 > 
 > Will do this week. Thanks!
 
 There's another problem in the patch: s/fi/endif/
 
 for i in seq 100; do
     echo I should test my patches before submitting them.
 done
 
 -- 
 Jeremie Le Hen
 
 Scientists say the world is made up of Protons, Neutrons and Electrons.
 They forgot to mention Morons.
State-Changed-From-To: open->closed 
State-Changed-By: bdrewery 
State-Changed-When: Fri Sep 20 07:55:09 CDT 2013 
State-Changed-Why:  
WITH_SSP committed! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=138228 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/138228: commit references a PR
Date: Fri, 20 Sep 2013 12:55:17 +0000 (UTC)

 Author: bdrewery
 Date: Fri Sep 20 12:54:54 2013
 New Revision: 327697
 URL: http://svnweb.freebsd.org/changeset/ports/327697
 
 Log:
   SSP support has been added to ports with WITH_SSP for i386 and amd64
   on FreeBSD 10, and amd64 on earlier versions.
   
   SSP_UNSAFE is added to disable in a port if it fails to build, but
   this should only be used in rare circumstances such as kernel modules.
   Otherwise, the port may just be failing due to lack of respecting
   LDFLAGS.
   
   On FreeBSD 10, this uses an ldscript in /usr/lib/libc.so to pull in
   libssp_nonshared.a to address issues linking on i386 [1].
   
   On earlier FreeBSD versions the WITH_SSP knob will add -lssp_nonshared
   to LDFLAGS on i386. This is not needed on amd64. However, several hundred
   ports do not currently respect LDFLAGS, so this support is disabled currently
   as it causes build failures if a dependency is looking for the stack_chk
   symbols.
   
   Many thanks to jlh@ for this as he had many years of patience in getting
   all of the necessary pieces [1][2] in.
   
   [1] http://svnweb.freebsd.org/base/head/lib/libc/libc.ldscript?revision=251668&view=markup
   
   PR:		ports/138228 [2]
   Submitted by:	jlh (bsd.ssp.mk based on)
   Reviewed by:	bapt
   With hat:	portmgr
   exp-runs done:	37 over a month on 91i386,91amd64,10i386,10amd64
 
 Added:
   head/Mk/bsd.ssp.mk   (contents, props changed)
 Modified:
   head/CHANGES
   head/Mk/bsd.port.mk
   head/UPDATING
   head/audio/csound/Makefile
   head/audio/emu10kx/Makefile
   head/audio/oss/Makefile
   head/comms/uarduno/Makefile
   head/comms/uartlirc/Makefile
   head/devel/libtecla/Makefile
   head/devel/mingw32-gcc/Makefile
   head/dns/c-ares/Makefile
   head/editors/emacs21/Makefile
   head/emulators/kqemu-kmod-devel/Makefile
   head/emulators/kqemu-kmod/Makefile
   head/emulators/open-vm-tools/Makefile
   head/emulators/parallels-tools/Makefile
   head/emulators/rtc/Makefile
   head/ftp/curl-hiphop/Makefile
   head/ftp/curl/Makefile
   head/games/gtkradiant/Makefile
   head/graphics/kix-kmod/Makefile
   head/graphics/plasma-kmod/Makefile
   head/lang/gcc/Makefile
   head/lang/gcc34/Makefile
   head/lang/gcc42/Makefile
   head/lang/gcc44/Makefile
   head/lang/gcc46/Makefile
   head/lang/gcc47/Makefile
   head/lang/gcc48/Makefile
   head/lang/gcc49/Makefile
   head/lang/libobjc2/Makefile
   head/lang/ocaml/Makefile
   head/misc/dahdi-kmod/Makefile
   head/misc/dahdi-kmod26/Makefile
   head/multimedia/cuse4bsd-kmod/Makefile
   head/multimedia/cx88/Makefile
   head/multimedia/linux_dvbwrapper-kmod/Makefile
   head/multimedia/ptx-kmod/Makefile
   head/multimedia/pwcbsd/Makefile
   head/net-mgmt/netams/Makefile
   head/net/aoe/Makefile
   head/net/etherboot/Makefile
   head/net/iet/Makefile
   head/net/ng_daphne/Makefile
   head/net/ng_mikrotik_eoip/Makefile
   head/net/skyfish/Makefile
   head/net/userfw/Makefile
   head/print/acroreadwrapper/Makefile
   head/security/quantis-kmod/Makefile
   head/sysutils/acpi_call/Makefile
   head/sysutils/biosfont/Makefile
   head/sysutils/fusefs-kmod/Makefile
   head/sysutils/graid5/Makefile
   head/sysutils/grub2/Makefile
   head/sysutils/mono-kmod/Makefile
   head/sysutils/pefs-kmod/Makefile
   head/sysutils/pmap/Makefile
   head/sysutils/scprotect/Makefile
   head/sysutils/vordog/Makefile
   head/x11/nvidia-driver/Makefile
 
 Modified: head/CHANGES
 ==============================================================================
 --- head/CHANGES	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/CHANGES	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -10,6 +10,28 @@ in the release notes and/or placed into 
  
  All ports committers are allowed to commit to this file.
  
 +20130920:
 +AUTHOR: bdrewery@FreeBSD.org
 +
 +  SSP support has been added to ports with WITH_SSP for i386 and amd64
 +  on FreeBSD 10, and amd64 on earlier versions.
 +
 +  SSP_UNSAFE is added to disable in a port if it fails to build, but
 +  this should only be used in rare circumstances such as kernel modules.
 +  Otherwise, the port may just be failing due to lack of respecting
 +  LDFLAGS.
 +
 +  On FreeBSD 10, this uses an ldscript in /usr/lib/libc.so to pull in
 +  libssp_nonshared.a to address issues linking on i386 [1].
 +  
 +  On earlier FreeBSD versions the WITH_SSP knob will add -lssp_nonshared
 +  to LDFLAGS on i386. This is not needed on amd64. However, several hundred
 +  ports do not currently respect LDFLAGS, so this support is disabled currently
 +  as it causes build failures if a dependency is looking for the stack_chk
 +  symbols.
 +
 +  [1] http://svnweb.freebsd.org/base/head/lib/libc/libc.ldscript?revision=251668&view=markup
 +
  20130919:
  AUTHOR: gahr@FreeBSD.org
  
 
 Modified: head/Mk/bsd.port.mk
 ==============================================================================
 --- head/Mk/bsd.port.mk	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/Mk/bsd.port.mk	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -301,6 +301,13 @@ FreeBSD_MAINTAINER=	portmgr@FreeBSD.org
  #                         passed to the compiler by setting DEBUG_FLAGS. It is
  #                         set to "-g" at default.
  #
 +# WITH_SSP		- If set, SSP_FLAGS (defaults to -fstack-protector)
 +#				  is added to CFLAGS and the necessary flags
 +#				  are added to LDFLAGS. Note that SSP_UNSAFE
 +#				  can be used in Makefiles by port maintainers
 +#				  if a port breaks with it (it should be
 +#				  extremely rare).
 +#
  # USE_BZIP2		- If set, this port tarballs use bzip2, not gzip, for
  #				  compression.
  # USE_LHA		- If set, this port distfile uses lha for compression
 @@ -1563,6 +1570,10 @@ DEBUG_FLAGS?=	-g
  CFLAGS:=		${CFLAGS:N-O*:N-fno-strict*} ${DEBUG_FLAGS}
  .endif
  
 +.if defined(WITH_SSP)
 +.include "${PORTSDIR}/Mk/bsd.ssp.mk"
 +.endif
 +
  .if defined(NOPORTDOCS)
  PLIST_SUB+=		PORTDOCS="@comment "
  .else
 
 Added: head/Mk/bsd.ssp.mk
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/Mk/bsd.ssp.mk	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -0,0 +1,30 @@
 +# $FreeBSD$
 +# SSP Support
 +
 +SSP_Include_MAINTAINER=	portmgr@FreeBSD.org
 +
 +# See: http://svnweb.freebsd.org/base/head/lib/libc/libc.ldscript?revision=251668&view=markup
 +.if ${OSVERSION} < 1000036 && ${ARCH} == i386
 +
 +# Disabled on i386 for now on releases without the ldscript as too many ports
 +# do not respect LDFLAGS and fail to build due to not adding in -lssp_nonshared when needed
 +# despite dependencies working fine, which breaks a lot. Can enable once LDFLAGS is more
 +# supported. XXX
 +SSP_UNSAFE=		yes
 +
 +# i386 needs -lssp_nonshared, see svn link above for more information
 +SSP_NEED_NONSHARED=	yes
 +.endif
 +
 +.if defined(WITH_SSP) && !defined(WITHOUT_SSP) && !defined(SSP_UNSAFE) && \
 +    (${ARCH} == i386 || ${ARCH} == amd64)
 +# Overridable as a user may want to use -fstack-protector-all
 +SSP_CFLAGS?=	-fstack-protector
 +CFLAGS:=	${CFLAGS} ${SSP_CFLAGS}
 +LDFLAGS:=	${LDFLAGS} -fstack-protector
 +# -lssp_nonshared is needed on i386 where /usr/lib/libc.so is not an ldscript
 +# This is currently unused XXX
 +.	if defined(SSP_NEED_NONSHARED)
 +LDFLAGS:=	${LDFLAGS} -lssp_nonshared
 +.	endif
 +.endif
 
 Modified: head/UPDATING
 ==============================================================================
 --- head/UPDATING	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/UPDATING	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -5,6 +5,30 @@ they are unavoidable.
  You should get into the habit of checking this file for changes each time
  you update your ports collection, before attempting any port upgrades.
  
 +20130920:
 +  AFFECTS: Users of ports
 +  AUTHOR: bdrewery@FreeBSD.org
 +
 +  Optional Stack Protector [1] support has been added with the WITH_SSP
 +  knob.
 +
 +  This currently is only supported on FreeBSD 10 amd64/i386 and earlier
 +  releases on amd64 only.
 +
 +  The default SSP_CLFAGS is -fstack-protector, but -fstack-protector-all
 +  may optionally be set instead.
 +
 +  To enable support, add WITH_SSP=yes to your make.conf and rebuild all
 +  ports.
 +
 +  # portmaster -af
 +
 +  or
 +
 +  # portupgrade -af
 +
 +  [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
 +
  20130904:
    AFFECTS: 10-CURRENT users with any port depending on converters/libiconv
    AUTHOR: madpilot@FreeBSD.org
 
 Modified: head/audio/csound/Makefile
 ==============================================================================
 --- head/audio/csound/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/audio/csound/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -35,6 +35,7 @@ FLTK_DESC=	Build FLTK plugin and GUI
  
  CONFLICTS_INSTALL=	outguess-*
  
 +SSP_UNSAFE=	yes
  USE_PYTHON=	2.6+
  USES=		bison gettext
  USE_SCONS=	yes
 
 Modified: head/audio/emu10kx/Makefile
 ==============================================================================
 --- head/audio/emu10kx/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/audio/emu10kx/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# Ports collection makefile for: emu10kx
 -# Date created:  7 Aug 2005
 -# Whom: michaels@sdf.lonestar.org
 -#
 +# Created by: michaels@sdf.lonestar.org
  # $FreeBSD$
 -#
  
  PORTNAME=	emu10kx
  PORTVERSION=	20051021
 @@ -17,6 +13,7 @@ COMMENT=	SBLive!, Audigy, and Audigy2 dr
  USE_BZIP2=	yes
  
  NO_PACKAGE=	should be recompiled for a particular FreeBSD kernel
 +SSP_UNSAFE=	kernel module does not support ssp
  
  MAN8=	emuctrl.8
  PLIST_FILES=	sbin/emuctrl etc/rc.d/emuctrl.sh
 
 Modified: head/audio/oss/Makefile
 ==============================================================================
 --- head/audio/oss/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/audio/oss/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -14,6 +14,7 @@ LICENSE=	BSD
  
  BUILD_DEPENDS=	gawk:${PORTSDIR}/lang/gawk
  
 +SSP_UNSAFE=	kernel module does not support ssp
  USE_BZIP2=	yes
  ALL_TARGET=	all install
  USE_GNOME=	gtk20
 
 Modified: head/comms/uarduno/Makefile
 ==============================================================================
 --- head/comms/uarduno/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/comms/uarduno/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -11,6 +11,8 @@ COMMENT=	FreeBSD Kernel Driver for the A
  
  NO_PACKAGE=	You must (re)build this port with your kernel source
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  # need to enforce installation into kernel module directory
  MAKE_ENV+=	KMODDIR=${KMODDIR}
  PREFIX=		${KMODDIR}
 
 Modified: head/comms/uartlirc/Makefile
 ==============================================================================
 --- head/comms/uartlirc/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/comms/uartlirc/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:	uarlirc
 -# Date created:				Sun May 13 17:39:40 CEST 2012
 -# Whom:					nox@FreeBSD.org
 -#
 +# Created by: nox@FreeBSD.org
  # $FreeBSD$
 -#
  
  PORTNAME=	uartlirc
  PORTVERSION=	0.3
 @@ -17,6 +13,8 @@ EXTRACT_SUFX=	.shar
  MAINTAINER=	nox@FreeBSD.org
  COMMENT=	Driver for "homebrew" serial LIRC receivers
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  WRKSRC=		${WRKDIR}/${PORTNAME}
  EXTRACT_CMD=	${SH}
  EXTRACT_BEFORE_ARGS=
 
 Modified: head/devel/libtecla/Makefile
 ==============================================================================
 --- head/devel/libtecla/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/devel/libtecla/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,10 +1,5 @@
 -# ex:ts=8
 -# New ports collection makefile for:	libtecla
 -# Date created:		Feb 12, 2001
 -# Whom:			Ying-Chieh Liao <ijliao@FreeBSD.org>
 -#
 +# Created by: Ying-Chieh Liao <ijliao@FreeBSD.org>
  # $FreeBSD$
 -#
  
  PORTNAME=	libtecla
  PORTVERSION=	1.6.2
 @@ -25,6 +20,7 @@ SCRIPTS_ENV=	WRKDIRPREFIX="${WRKDIRPREFI
  		REALCURDIR="${.CURDIR}" \
  		PORTNAME="${PORTNAME}"
  MAKE_JOBS_UNSAFE=	yes
 +SSP_UNSAFE=	yes
  
  .include <bsd.port.pre.mk>
  
 
 Modified: head/devel/mingw32-gcc/Makefile
 ==============================================================================
 --- head/devel/mingw32-gcc/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/devel/mingw32-gcc/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -20,6 +20,8 @@ LIB_DEPENDS=	gmp:${PORTSDIR}/math/gmp \
  
  GCCVERSION=	4.7.2
  
 +SSP_UNSAFE=	yes
 +
  ONLY_FOR_ARCHS=	amd64 i386 powerpc powerpc64 sparc64
  USE_LDCONFIG=	yes
  USES=		bison iconv gmake perl5
 
 Modified: head/dns/c-ares/Makefile
 ==============================================================================
 --- head/dns/c-ares/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/dns/c-ares/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -13,6 +13,8 @@ COMMENT=	An asynchronous DNS resolver li
  
  LICENSE=	MIT
  
 +SSP_UNSAFE=	Refuses -l in LDFLAGS
 +
  OPTIONS_DEFINE=		CONFIG_INFO DEBUG HIDE_SYMBOLS OPTIMIZED_CFLAGS
  OPTIONS_DEFAULT=	CONFIG_INFO HIDE_SYMBOLS
  
 
 Modified: head/editors/emacs21/Makefile
 ==============================================================================
 --- head/editors/emacs21/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/editors/emacs21/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -21,6 +21,8 @@ CONFLICTS=	emacs-19.* emacs-22.* emacs-2
  		xemacs-[0-9]* xemacs-devel-[0-9]* \
  		xemacs-mule-[0-9]* xemacs-devel-mule-[0-9]*
  
 +SSP_UNSAFE=	yes
 +
  .if !defined(WITHOUT_X11)
  LIB_DEPENDS=	Xaw3d:${PORTSDIR}/x11-toolkits/Xaw3d \
  		jpeg.11:${PORTSDIR}/graphics/jpeg \
 
 Modified: head/emulators/kqemu-kmod-devel/Makefile
 ==============================================================================
 --- head/emulators/kqemu-kmod-devel/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/emulators/kqemu-kmod-devel/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -19,6 +19,8 @@ COMMENT=	Kernel Accelerator for QEMU CPU
  LICENSE=	GPLv2
  LICENSE_FILE=	${WRKSRC}/COPYING
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  ONLY_FOR_ARCHS=	i386 amd64
  HAS_CONFIGURE=	yes
  USE_GMAKE=	yes
 
 Modified: head/emulators/kqemu-kmod/Makefile
 ==============================================================================
 --- head/emulators/kqemu-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/emulators/kqemu-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -19,6 +19,8 @@ COMMENT=	Kernel Accelerator for QEMU CPU
  LICENSE=	GPLv2
  LICENSE_FILE=	${WRKSRC}/COPYING
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  ONLY_FOR_ARCHS=	i386 amd64
  HAS_CONFIGURE=	yes
  USE_GMAKE=	yes
 
 Modified: head/emulators/open-vm-tools/Makefile
 ==============================================================================
 --- head/emulators/open-vm-tools/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/emulators/open-vm-tools/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -24,6 +24,8 @@ USES=			pkgconfig
  USE_LDCONFIG=		yes
  CPPFLAGS+=		-Wno-deprecated-declarations
  
 +SSP_UNSAFE=		kernel module does not support ssp
 +
  CONFIGURE_ARGS+=	--without-procps --sysconfdir=${LOCALBASE}/etc
  .if defined(WITHOUT_X11)
  LIB_DEPENDS+=		glib-2.0:${PORTSDIR}/devel/glib20
 
 Modified: head/emulators/parallels-tools/Makefile
 ==============================================================================
 --- head/emulators/parallels-tools/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/emulators/parallels-tools/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:	parallels-tools
 -# Date created:		14 Jun 2009
 -# Whom:			Alexander Nedotsukov <bland@FreeBSD.org>
 -#
 +# Created by: Alexander Nedotsukov <bland@FreeBSD.org>
  # $FreeBSD$
 -#
  
  PORTNAME=	parallels-tools
  PORTVERSION=	0.1.1
 @@ -14,6 +10,7 @@ MASTER_SITE_SUBDIR=	bland
  MAINTAINER=	bland@FreeBSD.org
  COMMENT=	Parallels Desktop Tools for FreeBSD
  
 +SSP_UNSAFE=	kernel module does not support ssp
  USE_BZIP2=	yes
  
  ONLY_FOR_ARCHS=	amd64 i386
 
 Modified: head/emulators/rtc/Makefile
 ==============================================================================
 --- head/emulators/rtc/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/emulators/rtc/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:	rtc
 -# Date created:		28 March 2000
 -# Whom:			Akinori MUSHA aka knu <knu@idaemons.org>
 -#
 +# Created by: Akinori MUSHA aka knu <knu@idaemons.org>
  # $FreeBSD$
 -#
  
  PORTNAME=	rtc
  PORTVERSION=	2004.02.24.1
 @@ -17,6 +13,7 @@ COMMENT=	Kernel module which provides /d
  
  WRKSRC=		${WRKDIR}/files
  
 +SSP_UNSAFE=	kernel module does not support ssp
  NO_FETCH=	yes
  USE_LINUX=	yes	# because of ${DEVDIR}
  
 
 Modified: head/ftp/curl-hiphop/Makefile
 ==============================================================================
 --- head/ftp/curl-hiphop/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/ftp/curl-hiphop/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,15 +1,13 @@
 -# New ports collection makefile for:	curl-hiphop
 -# Date created:		16 July 2012
 -# Whom:			Martin Matuska <mm@FreeBSd.org>
 -#
 +# Created by: Martin Matuska <mm@FreeBSD.org>
  # $FreeBSD$
 -#
  
  PKGNAMESUFFIX=	-hiphop
  
  MAINTAINER=	mm@FreeBSD.org
  COMMENT=	Static libcurl with custom patches for HipHop
  
 +SSP_UNSAFE=	Refuses -l in LDFLAGS
 +
  BUILDING_HIPHOP=	yes
  
  HIPHOP_DIR=	share/hiphop-php
 
 Modified: head/ftp/curl/Makefile
 ==============================================================================
 --- head/ftp/curl/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/ftp/curl/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -14,6 +14,8 @@ COMMENT?=	Non-interactive tool to get fi
  
  LICENSE=	MIT
  
 +SSP_UNSAFE=	Refuses -l in LDFLAGS
 +
  OPTIONS_DEFINE=	CA_BUNDLE COOKIES CURL_DEBUG DEBUG DOCS EXAMPLES GSSAPI IDN IPV6 LDAP LDAPS LIBSSH2 NTLM PROXY RTMP SPNEGO TLS_SRP
  OPTIONS_RADIO=	RESOLV SSL
  OPTIONS_RADIO_RESOLV=	CARES THREADED_RESOLVER
 
 Modified: head/games/gtkradiant/Makefile
 ==============================================================================
 --- head/games/gtkradiant/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/games/gtkradiant/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -20,6 +20,7 @@ LIB_DEPENDS=	libgtkglext-x11-1.0.so:${PO
  		libmhash.so:${PORTSDIR}/security/mhash \
  		libpng15.so:${PORTSDIR}/graphics/png
  
 +SSP_UNSAFE=	yes
  USES=		pkgconfig
  USE_ZIP=	yes
  USE_GNOME=	gtk20 libxml2
 
 Modified: head/graphics/kix-kmod/Makefile
 ==============================================================================
 --- head/graphics/kix-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/graphics/kix-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:	kix-kmod
 -# Date created:				4 January 2003
 -# Whom:					Jonathan Belson <jon@witchspace.com>
 -#
 +# Created by: Jonathan Belson <jon@witchspace.com>
  # $FreeBSD$
 -#
  
  PORTNAME=       kix
  PORTVERSION=	1.0
 @@ -16,6 +12,8 @@ PKGNAMESUFFIX=	-kmod
  MAINTAINER=	jon@witchspace.com
  COMMENT=	A graphical screensaver kernel module
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  .include <bsd.port.pre.mk>
  
  SYSDIR?=	${SRC_BASE}/sys
 
 Modified: head/graphics/plasma-kmod/Makefile
 ==============================================================================
 --- head/graphics/plasma-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/graphics/plasma-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:	plasma-kmod
 -# Date created:				24 January 2001
 -# Whom:					George Reid <greid@ukug.uk.freebsd.org>
 -#
 +# Created by: George Reid <greid@ukug.uk.freebsd.org>
  # $FreeBSD$
 -#
  
  PORTNAME=	plasma
  PORTVERSION=	0.1
 @@ -17,6 +13,8 @@ COMMENT=	A plasma-effect screensaver ker
  
  LICENSE=	BSD
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  .include <bsd.port.pre.mk>
  
  .if !exists(${SRC_BASE}/sys/dev/syscons/syscons.h)
 
 Modified: head/lang/gcc/Makefile
 ==============================================================================
 --- head/lang/gcc/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/gcc/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -32,6 +32,7 @@ USES=		bison gmake iconv perl5
  USE_BINUTILS=	yes
  USE_BZIP2=	yes
  USE_PERL5=	build
 +SSP_UNSAFE=	yes
  
  PATCH_WRKSRC=	${SRCDIR}
  CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure
 
 Modified: head/lang/gcc34/Makefile
 ==============================================================================
 --- head/lang/gcc34/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/gcc34/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -21,6 +21,7 @@ LATEST_LINK=	gcc${SUFFIX}${PKGNAMESUFFIX
  USES=		bison gmake iconv perl5
  USE_BZIP2=	yes
  USE_PERL=	build
 +SSP_UNSAFE=	yes
  
  PATCH_WRKSRC=	${SRCDIR}
  CONFIGURE_SCRIPT=	../${SRCDIR:C/${WRKDIR}//}/configure
 
 Modified: head/lang/gcc42/Makefile
 ==============================================================================
 --- head/lang/gcc42/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/gcc42/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -27,6 +27,7 @@ USES=		bison gmake iconv perl5
  USE_BZIP2=	yes
  USE_CSTD=	gnu89
  USE_PERL5=	build
 +SSP_UNSAFE=	yes
  
  PATCH_WRKSRC=	${SRCDIR}
  CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure
 
 Modified: head/lang/gcc44/Makefile
 ==============================================================================
 --- head/lang/gcc44/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/gcc44/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -25,6 +25,7 @@ USE_BINUTILS=	yes
  USES=		bison gmake iconv perl5
  USE_BZIP2=	yes
  USE_PERL5=	build
 +SSP_UNSAFE=	yes
  
  PATCH_WRKSRC=	${SRCDIR}
  CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure
 
 Modified: head/lang/gcc46/Makefile
 ==============================================================================
 --- head/lang/gcc46/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/gcc46/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -34,6 +34,7 @@ USES=		bison gmake iconv perl5
  USE_BINUTILS=	yes
  USE_BZIP2=	yes
  USE_PERL5=	build
 +SSP_UNSAFE=	yes
  
  PATCH_WRKSRC=	${SRCDIR}
  CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure
 
 Modified: head/lang/gcc47/Makefile
 ==============================================================================
 --- head/lang/gcc47/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/gcc47/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -33,6 +33,7 @@ USES=		bison gmake iconv perl5
  USE_BINUTILS=	yes
  USE_BZIP2=	yes
  USE_PERL5=	build
 +SSP_UNSAFE=	yes
  
  PATCH_WRKSRC=	${SRCDIR}
  CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure
 
 Modified: head/lang/gcc48/Makefile
 ==============================================================================
 --- head/lang/gcc48/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/gcc48/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -33,6 +33,7 @@ USES=		bison gmake iconv perl5
  USE_BINUTILS=	yes
  USE_BZIP2=	yes
  USE_PERL5=	build
 +SSP_UNSAFE=	yes
  
  PATCH_WRKSRC=	${SRCDIR}
  CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure
 
 Modified: head/lang/gcc49/Makefile
 ==============================================================================
 --- head/lang/gcc49/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/gcc49/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -33,6 +33,7 @@ USES=		gmake iconv perl5
  USE_BINUTILS=	yes
  USE_BZIP2=	yes
  USE_PERL5=	build
 +SSP_UNSAFE=	yes
  
  PATCH_WRKSRC=	${SRCDIR}
  CONFIGURE_SCRIPT=	../${SRCDIR:S/${WRKDIR}\///}/configure
 
 Modified: head/lang/libobjc2/Makefile
 ==============================================================================
 --- head/lang/libobjc2/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/libobjc2/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -9,6 +9,8 @@ MASTER_SITES=	http://download.gna.org/gn
  MAINTAINER=	theraven@FreeBSD.org
  COMMENT=	Replacement Objective-C runtime supporting modern Objective-C features
  
 +SSP_UNSAFE=	yes
 +
  .include <bsd.port.options.mk>
  
  USES=		cmake
 
 Modified: head/lang/ocaml/Makefile
 ==============================================================================
 --- head/lang/ocaml/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/lang/ocaml/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -20,6 +20,7 @@ REINPLACE_ARGS=	-i ""
  HAS_CONFIGURE=	yes
  ALL_TARGET=	world.opt
  STRIP=
 +SSP_UNSAFE=	yes
  MAKE_JOBS_UNSAFE=	yes
  
  CONFIGURE_ARGS=	-verbose -prefix "${PREFIX}" -cc "${CC}" -as "${AS}" \
 
 Modified: head/misc/dahdi-kmod/Makefile
 ==============================================================================
 --- head/misc/dahdi-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/misc/dahdi-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# Ports collection makefile for:	dahdi
 -# Date created:				3 Mar 2010
 -# Whom:					Maxim Khon <fjoe@FreeBSD.org>
 -#
 +# Created by: Maxim Khon <fjoe@FreeBSD.org>
  # $FreeBSD$
 -#
  
  PORTNAME=	dahdi-kmod
  PORTVERSION=	${DAHDI_VERSION:S/-//g}
 @@ -22,6 +18,8 @@ COMMENT=	Digium/Asterisk Hardware Device
  
  RUN_DEPENDS=	${LOCALBASE}/sbin/dahdi_cfg:${PORTSDIR}/misc/dahdi
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  DAHDI_VERSION=		2.4.0-rc5
  DAHDI_TOOLS_VERSION=	2.4.0-rc1
  OSLEC_VERSION=		2.6.35.4
 
 Modified: head/misc/dahdi-kmod26/Makefile
 ==============================================================================
 --- head/misc/dahdi-kmod26/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/misc/dahdi-kmod26/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# Ports collection makefile for:	dahdi
 -# Date created:				3 Mar 2010
 -# Whom:					Maxim Khon <fjoe@FreeBSD.org>
 -#
 +# Created by: Maxim Khon <fjoe@FreeBSD.org>
  # $FreeBSD$
 -#
  
  PORTNAME=	dahdi-kmod26
  PORTVERSION=	${DAHDI_VERSION:S/-/./g}
 @@ -22,6 +18,8 @@ COMMENT=	Digium/Asterisk Hardware Device
  
  RUN_DEPENDS=	${LOCALBASE}/sbin/dahdi_cfg:${PORTSDIR}/misc/dahdi
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  DAHDI_VERSION=		2.6.1-r10738
  DAHDI_TOOLS_VERSION=	2.4.0-rc1
  OSLEC_VERSION=		2.6.35.4
 
 Modified: head/multimedia/cuse4bsd-kmod/Makefile
 ==============================================================================
 --- head/multimedia/cuse4bsd-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/multimedia/cuse4bsd-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -11,6 +11,7 @@ COMMENT=	Cuse4BSD character device loopb
  
  CONFLICTS=	video4bsd-kmod*
  
 +SSP_UNSAFE=	kernel module does not support ssp
  USE_BZIP2=	yes
  
  KMODDIR=	/boot/modules
 
 Modified: head/multimedia/cx88/Makefile
 ==============================================================================
 --- head/multimedia/cx88/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/multimedia/cx88/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -18,6 +18,7 @@ KMODDIR=	/boot/modules
  PLIST_SUB+=	KMODDIR=${KMODDIR}
  MAKE_ARGS+=	LIBTUNER_LIB=${LOCALBASE}/lib/libtuner LIBTUNER_HEADER=${LOCALBASE}/include/libtuner KMODDIR=${KMODDIR}
  MAKE_JOBS_UNSAFE=	yes
 +SSP_UNSAFE=	kernel module does not support ssp
  
  OPTIONS_DEFINE=	DEBUG LINUX_COMPAT HAL
  
 
 Modified: head/multimedia/linux_dvbwrapper-kmod/Makefile
 ==============================================================================
 --- head/multimedia/linux_dvbwrapper-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/multimedia/linux_dvbwrapper-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -10,6 +10,7 @@ DISTFILES=	# none
  MAINTAINER=	nox@FreeBSD.org
  COMMENT=	Linux compatibility layer - DVB ioctl handler
  
 +SSP_UNSAFE=	kernel module does not support ssp
  ONLY_FOR_ARCHS=	i386 amd64
  
  .include <bsd.port.pre.mk>
 
 Modified: head/multimedia/ptx-kmod/Makefile
 ==============================================================================
 --- head/multimedia/ptx-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/multimedia/ptx-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -13,6 +13,8 @@ COMMENT=	Device driver for PT1/PT2 ISDB-
  
  LICENSE=	GPLv3
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  ONLY_FOR_ARCHS=	amd64 i386
  BUILD_WRKSRC=	${WRKSRC}/dev/ptx
  MAKE_ENV=	KMODDIR=${PREFIX}/${KMODDIR} SYSDIR=${SYSDIR}
 
 Modified: head/multimedia/pwcbsd/Makefile
 ==============================================================================
 --- head/multimedia/pwcbsd/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/multimedia/pwcbsd/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -15,6 +15,8 @@ COMMENT=	The Linux pwc webcam driver por
  
  CONFLICTS=	pwcview-[0-9]*
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  MAN4=		pwc.4
  
  WRKSRC=		${WRKDIR}/${PORTNAME}
 
 Modified: head/net-mgmt/netams/Makefile
 ==============================================================================
 --- head/net-mgmt/netams/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/net-mgmt/netams/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -12,6 +12,7 @@ COMMENT=	Network Traffic Accounting and 
  
  LIB_DEPENDS=	pcap.1:${PORTSDIR}/net/libpcap
  
 +SSP_UNSAFE=	kernel module does not support ssp
  USE_SUBMAKE=	yes
  SUB_FILES=	pkg-message
  USE_RC_SUBR=	netams
 
 Modified: head/net/aoe/Makefile
 ==============================================================================
 --- head/net/aoe/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/net/aoe/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,13 +1,9 @@
 -# Ports collection makefile for:	aoe (ATA Over Ethernet) driver
 -# Date created:				22 May 2006
 -# Whom:					Stacey D. Son <sds@son.org>
 -#
 +# Created by: Stacey D. Son <sds@son.org>
  # $FreeBSD$
 -#
  
  PORTNAME=	aoe
  PORTVERSION=	1.2.0
 -CATEGORIES=	net
 +CATEGORIES=	net kld
  MASTER_SITES=	http://www.son.org/download/
  DISTNAME=	${PORTNAME}-freebsd-${PORTVERSION}
  
 @@ -15,6 +11,7 @@ MAINTAINER=	fjoe@FreeBSD.org
  COMMENT=	FreeBSD driver for ATA over Ethernet (AoE)
  
  NO_PACKAGE=	Should be in sync with the kernel to work correctly
 +SSP_UNSAFE=	kernel module does not support ssp
  
  WRKSRC=		${WRKDIR}/dev/aoe
  MAN4=		aoe.4
 
 Modified: head/net/etherboot/Makefile
 ==============================================================================
 --- head/net/etherboot/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/net/etherboot/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -9,6 +9,7 @@ MASTER_SITES=	SF http://etherboot.berlio
  MAINTAINER=	ambrisko@FreeBSD.org
  COMMENT=	Network boot of FreeBSD a.out/ELF kernels (improved netboot)
  
 +SSP_UNSAFE=	yes
  ONLY_FOR_ARCHS=	i386
  NO_PACKAGE=	lots of configuration necessary
  
 
 Modified: head/net/iet/Makefile
 ==============================================================================
 --- head/net/iet/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/net/iet/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -4,7 +4,7 @@
  PORTNAME=	iet
  PORTVERSION=	1.4.20.2
  PORTREVISION=	6
 -CATEGORIES=	net
 +CATEGORIES=	net kld
  MASTER_SITES=	SF/iscsitarget/iscsitarget/${PORTVERSION}/
  DISTNAME=	iscsitarget-${PORTVERSION}
  
 @@ -18,6 +18,7 @@ COMMENT=	The iSCSI Enterprise Target
  
  LICENSE=	GPLv2
  
 +SSP_UNSAFE=	kernel module does not support ssp
  BUILD_WRKSRC=	${WRKSRC}/freebsd
  INSTALL_WRKSRC=	${BUILD_WRKSRC}
  
 
 Modified: head/net/ng_daphne/Makefile
 ==============================================================================
 --- head/net/ng_daphne/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/net/ng_daphne/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:	ng_daphne
 -# Date created:		8 November 2003
 -# Whom:			Gerasimos Dimitriadis
 -#
 +# Created by: Gerasimos Dimitriadis
  # $FreeBSD$
 -#
  
  PORTNAME=	ng_daphne
  PORTVERSION=	1.0
 @@ -15,6 +11,8 @@ MASTER_SITES=	http://newton.ee.auth.gr/n
  MAINTAINER=	gedimitr@auth.gr
  COMMENT=	A simple netgraph module for multihop ad hoc networks
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  .include <bsd.port.pre.mk>
  
  SYSDIR?=	${SRC_BASE}/sys
 
 Modified: head/net/ng_mikrotik_eoip/Makefile
 ==============================================================================
 --- head/net/ng_mikrotik_eoip/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/net/ng_mikrotik_eoip/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -12,6 +12,8 @@ COMMENT=	Netgraph node for Mikrotik EoIP
  
  LICENSE=	BSD
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  OPTIONS_DEFINE=	PTABLE	
  PTABLE_DESC=	Use O(1) lookup for tunnel hooks
  # This option enables usage of static pointer table to find needed decimal-named hook,
 
 Modified: head/net/skyfish/Makefile
 ==============================================================================
 --- head/net/skyfish/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/net/skyfish/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:   skyfish
 -# Date created:        23 May 2008
 -# Whom:                Nsand <nsand@sura.ru>
 -#
 +# Created by: Nsand <nsand@sura.ru>
  # $FreeBSD$
 -#
  
  PORTNAME=	skyfish
  PORTVERSION=	0.91
 @@ -13,6 +9,8 @@ MASTER_SITES=	ftp://ftp.lissyara.su/user
  MAINTAINER=	nsand@sura.ru
  COMMENT=	Grabbing TCP streams from network interface (SAT internet)
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  .include <bsd.port.pre.mk>
  
  SYSDIR?=	${SRC_BASE}/sys
 
 Modified: head/net/userfw/Makefile
 ==============================================================================
 --- head/net/userfw/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/net/userfw/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:   userfw
 -# Date created:        10 Mar 2012
 -# Whom:                Maxim Ignatenko
 -#
 +# Created by: Maxim Ignatenko
  # $FreeBSD$
 -#
  
  PORTNAME=	userfw
  PORTVERSION=	0.1.3
 @@ -17,6 +13,7 @@ COMMENT=	Modular packet filter
  
  LICENSE=	BSD
  
 +SSP_UNSAFE=	kernel module does not support ssp
  USE_XZ=		yes
  USES=		cmake:outsource
  USE_LDCONFIG=	yes
 
 Modified: head/print/acroreadwrapper/Makefile
 ==============================================================================
 --- head/print/acroreadwrapper/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/print/acroreadwrapper/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,13 +1,9 @@
 -# New ports collection makefile for:	acroreadwrapper
 -# Date created:		20 February 2006
 -# Whom:			hrs
 -#
 +# Created by: hrs
  # $FreeBSD$
 -#
  
  PORTNAME=	acroreadwrapper
  PORTVERSION=	0.0.20130208
 -CATEGORIES=	print
 +CATEGORIES=	print kld
  MASTER_SITES=	http://people.allbsd.org/~hrs/FreeBSD/
  DISTNAME=	linux_adobe_kmod-${PORTVERSION:E}
  
 @@ -18,6 +14,8 @@ LICENSE=	BSD
  
  RUN_DEPENDS=	${LOCALBASE}/lib/linux-libgtkembedmoz/libgtkembedmoz.so:${PORTSDIR}/www/linux-libgtkembedmoz
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  ONLY_FOR_ARCHS=	amd64 i386
  PLIST_FILES=	bin/acroread8 bin/acroread9 bin/acroread \
  		${KMODDIR}/linux_adobe.ko
 
 Modified: head/security/quantis-kmod/Makefile
 ==============================================================================
 --- head/security/quantis-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/security/quantis-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -17,6 +17,7 @@ LICENSE=	BSD GPLv2
  LICENSE_COMB=	dual
  LICENSE_FILE=	${WRKDIR}/Quantis-${DISTVERSION}/License.txt
  
 +SSP_UNSAFE=	kernel module does not support ssp
  USE_ZIP=	yes
  EXTRACT_BEFORE_ARGS=	-aqo
  
 
 Modified: head/sysutils/acpi_call/Makefile
 ==============================================================================
 --- head/sysutils/acpi_call/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/acpi_call/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:	acpi_call
 -# Date created:				15 Oct 2011
 -# Whom:					Maxim Ignatenko
 -#
 +# Created by: Maxim Ignatenko
  # $FreeBSD$
 -#
  
  PORTNAME=	acpi_call
  PORTVERSION=	1.0.1
 @@ -16,6 +12,8 @@ COMMENT=	Kernel module for calling ACPI 
  
  LICENSE=	BSD
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  .include <bsd.port.pre.mk>
  
  KMODDIR?=	/boot/modules
 
 Modified: head/sysutils/biosfont/Makefile
 ==============================================================================
 --- head/sysutils/biosfont/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/biosfont/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -11,6 +11,8 @@ COMMENT=	Kernel module to retrieve bitma
  
  LICENSE=	BSD
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  # only platforms guraranteed to be ok, feedback/patches are welcome
  ONLY_FOR_ARCHS=	i386 amd64
  
 
 Modified: head/sysutils/fusefs-kmod/Makefile
 ==============================================================================
 --- head/sysutils/fusefs-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/fusefs-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -17,6 +17,8 @@ COMMENT=	Kernel module for fuse
  
  BUILD_DEPENDS=	fusefs-libs>2.4.1:${PORTSDIR}/sysutils/fusefs-libs
  
 +SSP_UNSAFE=	kernel module does not support ssp
 +
  USE_RC_SUBR=	fusefs
  KMODDIR?=	${PREFIX}/modules
  PLIST_SUB=	KMODDIR=${KMODDIR}
 
 Modified: head/sysutils/graid5/Makefile
 ==============================================================================
 --- head/sysutils/graid5/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/graid5/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection makefile for:	graid5
 -# Date created:				09 Nov 2010
 -# Whom:					Lev Serebryakov <lev@FreeBSD.org>
 -#
 +# Created by: Lev Serebryakov <lev@FreeBSD.org>
  # $FreeBSD$
 -#
  
  PORTNAME=	graid5
  PORTVERSION=	${MAINVERSION}.${VERSIONDATE}
 @@ -14,6 +10,7 @@ MASTER_SITES=	http://lev.serebryakov.spb
  MAINTAINER=	lev@FreeBSD.org
  COMMENT=	RAID5 geom class
  
 +SSP_UNSAFE=	kernel module does not support ssp
  USE_BZIP2=	yes
  
  NO_PACKAGE=	should be recompiled for a particular FreeBSD kernel
 
 Modified: head/sysutils/grub2/Makefile
 ==============================================================================
 --- head/sysutils/grub2/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/grub2/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -17,6 +17,7 @@ BUILD_DEPENDS=	${LOCALBASE}/bin/flex:${P
  		help2man:${PORTSDIR}/misc/help2man
  
  CONFLICTS=	grub-0*
 +SSP_UNSAFE=	yes
  USE_XZ=		yes
  USE_GCC=	yes
  USE_AUTOTOOLS=	automake aclocal autoconf
 
 Modified: head/sysutils/mono-kmod/Makefile
 ==============================================================================
 --- head/sysutils/mono-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/mono-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# Ports collection makefile for: mono-kmod
 -# Date created:		14 April 2007
 -# Whom:			bkoenig@cs.tu-berlin.de
 -#
 +# Created by: bkoenig@cs.tu-berlin.de
  # $FreeBSD$
 -#
  
  PORTNAME=	mono-kmod
  PORTVERSION=	20070416
 @@ -15,6 +11,7 @@ COMMENT=	Execute .NET applications from 
  
  ONLY_FOR_ARCHS=	i386 amd64 arm
  
 +SSP_UNSAFE=	kernel module does not support ssp
  USE_BZIP2=	yes
  KMODDIR?=	/boot/modules
  SUB_FILES=	pkg-message
 
 Modified: head/sysutils/pefs-kmod/Makefile
 ==============================================================================
 --- head/sysutils/pefs-kmod/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/pefs-kmod/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,4 +1,4 @@
 -# Created by: Gleb Kurtsou <gleb@freebsd.org>
 +# Created by: Gleb Kurtsou <gleb@FreeBSD.org>
  # $FreeBSD$
  
  PORTNAME=	pefs
 @@ -12,6 +12,7 @@ COMMENT=	PEFS kernel level stacked crypt
  
  LICENSE=	BSD
  
 +SSP_UNSAFE=	kernel module does not support ssp
  FETCH_ARGS=	-Fpr		# work around 302 redirect
  
  KMODDIR?=	/boot/modules
 
 Modified: head/sysutils/pmap/Makefile
 ==============================================================================
 --- head/sysutils/pmap/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/pmap/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -11,6 +11,7 @@ MASTER_SITES=	${MASTER_SITE_LOCAL:S!$!sk
  MAINTAINER=	ports@FreeBSD.org
  COMMENT=	Detailed process memory display
  
 +SSP_UNSAFE=	kernel module does not support ssp
  NO_PACKAGE=	Depends on kernel
  
  KMODDIR=	/boot/modules
 
 Modified: head/sysutils/scprotect/Makefile
 ==============================================================================
 --- head/sysutils/scprotect/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/scprotect/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# New ports collection Makefile for:	scprotect
 -# Date created:		5 Feb 2009
 -# Whom:			Denis Barov  <dindin@dindin.ru>
 -#
 +# Created by: Denis Barov  <dindin@dindin.ru>
  # $FreeBSD$
 -#
  
  PORTNAME=	scprotect
  PORTVERSION=	20091116
 @@ -14,6 +10,7 @@ MAINTAINER=	ports@FreeBSD.org
  COMMENT=	Protect process from killing when the swap space is exhausted
  
  NO_PACKAGE=	Needs to be compiled for specific kernel
 +SSP_UNSAFE=	kernel module does not support ssp
  
  KMODDIR?=	/boot/modules
  
 
 Modified: head/sysutils/vordog/Makefile
 ==============================================================================
 --- head/sysutils/vordog/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/sysutils/vordog/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -1,9 +1,5 @@
 -# Ports collection makefile for: vordog
 -# Date created: 8 July 2008
 -# Whom:		Kueifeng Li <thinker@branda.to>
 -#
 +# Created by: Kueifeng Li <thinker@branda.to>
  # $FreeBSD$
 -#
  
  PORTNAME=	vordog
  PORTVERSION=	20080708
 @@ -13,6 +9,7 @@ MASTER_SITES=	http://www.assembla.com/sp
  MAINTAINER=	ports@FreeBSD.org
  COMMENT=	Watchdog(9) driver for watchdog timer of Vortex86
  
 +SSP_UNSAFE=	kernel module does not support ssp
  KMODDIR=	/boot/modules
  
  ONLY_FOR_ARCHS=	i386
 
 Modified: head/x11/nvidia-driver/Makefile
 ==============================================================================
 --- head/x11/nvidia-driver/Makefile	Fri Sep 20 12:16:14 2013	(r327696)
 +++ head/x11/nvidia-driver/Makefile	Fri Sep 20 12:54:54 2013	(r327697)
 @@ -27,6 +27,7 @@ LICENSE_NAME=	License For Customer Use o
  LICENSE_FILE=	${WRKSRC}/doc/license.txt
  LICENSE_PERMS=	dist-mirror no-dist-sell pkg-mirror no-pkg-sell auto-accept
  
 +SSP_UNSAFE=	kernel module does not support ssp
  ARCH_SUFX=	${ARCH:S/i386//:S/amd/_/}
  USE_XORG=	xorg-server
  USE_GL=		gl
 _______________________________________________
 svn-ports-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-ports-all
 To unsubscribe, send any mail to "svn-ports-all-unsubscribe@freebsd.org"
 
>Unformatted:
