AW: Increased SECURITY RISCS from omitting some compikler options when building PG with meson; e.g. -fcf-protection=full

Hans Buschmann <buschmann@nidsa.net>

From: Hans Buschmann <buschmann@nidsa.net>
To: Matthias van de Meent <boekewurm+postgres@gmail.com>
Cc: Peter Eisentraut <peter@eisentraut.org>, "pgsql-hackers@postgresql.org" <pgsql-hackers@postgresql.org>
Date: 2026-07-08T11:24:55Z
Lists: pgsql-hackers
Hello Matthias,


Thank you for pointing me to the pg_config options. I didn't know and will take a look.



> If the normal user cannot handle compiler options, then should they
> really be self-compiling PostgreSQL with custom compiler options, for
> a platform that already has pre-compiled binary distributions?

As already mentioned in my original post, there are some cases a "normal" user (in my terminology it is a db responsible not experienced with C programming practice) may use a manual recompile:

- blocksize change
- emergency patch: see current planet postgres:
- test on beta versions of the OS
- etc...

https://www.credativ.de/blog/postgresql/replikations-deadlock-fehler-in-aktuellen-postgres-versionen-14-16/

The user should be able to recompile the package (which is really very easy with meson after some setup of developer packages) without deeper knowledge of C programming with the original configuration of the distribution.

In production I use the binary distribution from PGDG and additionally compile the latest/beta versions for a compatibility check.

Best regards

Hans Buschmann