Hi All The attached patch adds security hardening compiler and linker flags. These flags are only applied if --enable-secflags is on, and I've made --enable-secflags on by default. I totally understand if the maintainers may prefer for it to be off by default, at least initially. Here is a brief explanation/justification of each of the flags added by this patch. Compiler flags: -Wformat -Wformat-security -Werror=format-security: Protection against format string vulnerabilities at compile time, no impact to the compiled binaries. -fPIE: Build position independent executable (PIE) binaries. Enables a form of address space layout randomization (ASLR), which makes exploitation of memory corruption vulnerabilities significantly more difficult. This does incur a small performance cost, but this is minimal and I believe an acceptable price to pay for the protection PIE provides. For more details on the performance cost, see [0]. -fstack-protector-strong: Stack-smashing protection at runtime, thwarting many buffer overflow exploits. This does incur a small performance cost. -fstack-protector-strong is designed to incur a minimal performance cost, compared to the more comprehensive -fstack-protector-all. -D_FORTIFY_SOURCE=2: Protection against static sized buffer overflows at compile time, no impact to compiled binaries. Linker flags: -fPIE -pie: To enable PIE as noted above. -Wl,-z,relro: Prevents some memory corruption exploits that overwrite the global offset table (GOT). For more details see [1]. -Wl,-z,now: Part of GOT overwrite protection. Can incur an extremely minimal performance hit at startup time as symbols are resolved. -Wl,-z,noexecstack: Prevents some memory corruption exploits by marking the stack as non-executable. Not all of these flags are available on some architectures and processors, but they should be automatically omitted from the configure script if not supported. Thanks David [0] https://securityblog.redhat.com/2012/12/12/position-independent-executable-p... [1] https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/