From 91a4990bc129ddabe81a9c01fc0d9f5c972b9162 Mon Sep 17 00:00:00 2001
From: Jeffrey Clark <h0tw1r3@users.noreply.github.com>
Date: Thu, 18 Apr 2024 08:51:04 -0500
Subject: [PATCH 1/8] (PA-6383) ensure PIE compile flags applied to future
 platforms

---
 configs/projects/_shared-agent-settings.rb           | 2 +-
 configs/projects/_shared-pe-bolt-server_with_ruby.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb
index 1baff55b1..04b4e6087 100644
--- a/configs/projects/_shared-agent-settings.rb
+++ b/configs/projects/_shared-agent-settings.rb
@@ -152,7 +152,7 @@
 # stack canary and full RELRO.
 # We only do this on platforms that use their default OS toolchain since pl-gcc versions
 # are too old to support these flags.
-if platform.name =~ /sles-15|el-8|debian-10/ || platform.is_fedora?
+if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
   proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
   proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
   proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
diff --git a/configs/projects/_shared-pe-bolt-server_with_ruby.rb b/configs/projects/_shared-pe-bolt-server_with_ruby.rb
index 18aaf82a9..b04ece7a2 100644
--- a/configs/projects/_shared-pe-bolt-server_with_ruby.rb
+++ b/configs/projects/_shared-pe-bolt-server_with_ruby.rb
@@ -87,7 +87,7 @@
 # stack canary and full RELRO.
 # We only do this on platforms that use their default OS toolchain since pl-gcc versions
 # are too old to support these flags.
-if platform.name =~ /sles-15|el-8|debian-10/ || platform.is_fedora?
+if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
   proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
   proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
   proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")

From e8dcab65afb1b537d6755c7e91bcc9ab96252c22 Mon Sep 17 00:00:00 2001
From: Jeffrey Clark <h0tw1r3@users.noreply.github.com>
Date: Thu, 18 Apr 2024 09:03:36 -0500
Subject: [PATCH 2/8] (PA-6383) add PIE compile flags to runtimes with platform
 support

---
 configs/projects/_shared-client-tools-runtime.rb | 10 ++++++++++
 configs/projects/_shared-pe-installer-runtime.rb | 10 ++++++++++
 configs/projects/bolt-runtime.rb                 | 10 ++++++++++
 configs/projects/pdk-runtime.rb                  | 10 ++++++++++
 4 files changed, 40 insertions(+)

diff --git a/configs/projects/_shared-client-tools-runtime.rb b/configs/projects/_shared-client-tools-runtime.rb
index 701081bf8..b62bc779c 100644
--- a/configs/projects/_shared-client-tools-runtime.rb
+++ b/configs/projects/_shared-client-tools-runtime.rb
@@ -96,6 +96,16 @@
   proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
   proj.setting(:cflags, "#{proj.cppflags}")
   proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
+
+  # Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
+  # stack canary and full RELRO.
+  # We only do this on platforms that use their default OS toolchain since pl-gcc versions
+  # are too old to support these flags.
+  if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
+    proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
+    proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
+    proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
+  end
 end
 
 # What to build?
diff --git a/configs/projects/_shared-pe-installer-runtime.rb b/configs/projects/_shared-pe-installer-runtime.rb
index 654ade094..84aad245c 100644
--- a/configs/projects/_shared-pe-installer-runtime.rb
+++ b/configs/projects/_shared-pe-installer-runtime.rb
@@ -37,6 +37,16 @@
 proj.setting(:cflags, "#{proj.cppflags}")
 proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
 
+# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
+# stack canary and full RELRO.
+# We only do this on platforms that use their default OS toolchain since pl-gcc versions
+# are too old to support these flags.
+if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
+  proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
+  proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
+  proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
+end
+
 # These flags are applied in addition to the defaults in configs/component/openssl.rb.
 proj.setting(:openssl_extra_configure_flags, [
   'no-dtls',
diff --git a/configs/projects/bolt-runtime.rb b/configs/projects/bolt-runtime.rb
index d9eedf6c9..80a89d829 100644
--- a/configs/projects/bolt-runtime.rb
+++ b/configs/projects/bolt-runtime.rb
@@ -72,6 +72,16 @@
   proj.setting(:cflags, "#{proj.cppflags}")
   proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
 
+  # Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
+  # stack canary and full RELRO.
+  # We only do this on platforms that use their default OS toolchain since pl-gcc versions
+  # are too old to support these flags.
+  if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
+    proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
+    proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
+    proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
+  end
+
   # Platform specific overrides or settings, which may override the defaults
   if platform.is_windows?
     arch = platform.architecture == "x64" ? "64" : "32"
diff --git a/configs/projects/pdk-runtime.rb b/configs/projects/pdk-runtime.rb
index cd6ea3edc..b816bf13e 100644
--- a/configs/projects/pdk-runtime.rb
+++ b/configs/projects/pdk-runtime.rb
@@ -117,6 +117,16 @@
   proj.setting(:cflags, proj.cppflags.to_s)
   proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
 
+  # Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
+  # stack canary and full RELRO.
+  # We only do this on platforms that use their default OS toolchain since pl-gcc versions
+  # are too old to support these flags.
+  if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
+    proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
+    proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
+    proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
+  end
+
   if platform.is_windows?
     proj.setting(:gcc_root, 'C:/tools/mingw64')
     proj.setting(:gcc_bindir, "#{proj.gcc_root}/bin")

From a8484d0f0a91ad546258b1ef8c3c8566189e76eb Mon Sep 17 00:00:00 2001
From: Jeffrey Clark <h0tw1r3@users.noreply.github.com>
Date: Thu, 18 Apr 2024 09:05:42 -0500
Subject: [PATCH 3/8] (PA-6383) ensure new bolt runtime platforms do not use
 pl-build-tools

---
 configs/components/runtime-bolt.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configs/components/runtime-bolt.rb b/configs/components/runtime-bolt.rb
index cbfaa5f9a..9a63ea55f 100644
--- a/configs/components/runtime-bolt.rb
+++ b/configs/components/runtime-bolt.rb
@@ -13,7 +13,7 @@
     pkg.install_file "#{settings[:tools_root]}/bin/libgdbm_compat-4.dll", "#{settings[:ruby_bindir]}/libgdbm_compat-4.dll"
     pkg.install_file "#{settings[:tools_root]}/bin/libiconv-2.dll", "#{settings[:ruby_bindir]}/libiconv-2.dll"
     pkg.install_file "#{settings[:tools_root]}/bin/libffi-6.dll", "#{settings[:ruby_bindir]}/libffi-6.dll"
-  elsif platform.is_macos? or platform.name =~ /sles-15|el-8|debian-10|ubuntu-20.04|ubuntu-22.04/ || platform.is_fedora?
+  elsif platform.is_macos? || (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
 
     # Do nothing for distros that have a suitable compiler do not use pl-build-tools
 

From 6010ce13929ac2caca1510a04fd342490ce34e4b Mon Sep 17 00:00:00 2001
From: Jeffrey Clark <h0tw1r3@users.noreply.github.com>
Date: Thu, 18 Apr 2024 09:53:30 -0500
Subject: [PATCH 4/8] (PA-6383) share compiler default settings

---
 configs/projects/_shared-agent-settings.rb    | 19 ++--------------
 .../projects/_shared-client-tools-runtime.rb  | 16 ++------------
 configs/projects/_shared-compiler-settings.rb | 22 +++++++++++++++++++
 .../_shared-pe-bolt-server_with_ruby.rb       | 19 ++--------------
 .../projects/_shared-pe-installer-runtime.rb  | 17 ++------------
 configs/projects/bolt-runtime.rb              | 17 ++------------
 configs/projects/pdk-runtime.rb               | 17 ++------------
 7 files changed, 34 insertions(+), 93 deletions(-)
 create mode 100644 configs/projects/_shared-compiler-settings.rb

diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb
index 04b4e6087..22d76367f 100644
--- a/configs/projects/_shared-agent-settings.rb
+++ b/configs/projects/_shared-agent-settings.rb
@@ -140,23 +140,8 @@
 proj.setting(:platform_triple, platform_triple)
 proj.setting(:host, host)
 
-# Define default CFLAGS and LDFLAGS for most platforms, and then
-# tweak or adjust them as needed.
-proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-proj.setting(:cflags, "#{proj.cppflags}")
-proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
-
-# Platform specific overrides or settings, which may override the defaults
-
-# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
-# stack canary and full RELRO.
-# We only do this on platforms that use their default OS toolchain since pl-gcc versions
-# are too old to support these flags.
-if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
-  proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
-  proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
-  proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
-end
+# Load default compiler settings
+instance_eval File.read('configs/projects/_shared-compiler-settings.rb')
 
 if ruby_version_x == "3"
   proj.setting(:openssl_version, '3.0')
diff --git a/configs/projects/_shared-client-tools-runtime.rb b/configs/projects/_shared-client-tools-runtime.rb
index b62bc779c..43113dba9 100644
--- a/configs/projects/_shared-client-tools-runtime.rb
+++ b/configs/projects/_shared-client-tools-runtime.rb
@@ -92,20 +92,8 @@
   proj.setting(:ldflags, "-L#{proj.tools_root}/lib -L#{proj.gcc_root}/lib -L#{proj.libdir} -Wl,--nxcompat -Wl,--dynamicbase")
   proj.setting(:cygwin, "nodosfilewarning winsymlinks:native")
 else
-  proj.setting(:tools_root, "/opt/pl-build-tools")
-  proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-  proj.setting(:cflags, "#{proj.cppflags}")
-  proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
-
-  # Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
-  # stack canary and full RELRO.
-  # We only do this on platforms that use their default OS toolchain since pl-gcc versions
-  # are too old to support these flags.
-  if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
-    proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
-    proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
-    proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
-  end
+  # Load default compiler settings
+  instance_eval File.read('configs/projects/_shared-compiler-settings.rb')
 end
 
 # What to build?
diff --git a/configs/projects/_shared-compiler-settings.rb b/configs/projects/_shared-compiler-settings.rb
new file mode 100644
index 000000000..102622e8f
--- /dev/null
+++ b/configs/projects/_shared-compiler-settings.rb
@@ -0,0 +1,22 @@
+# Define default CFLAGS and LDFLAGS for most platforms, and then
+# tweak or adjust them as needed.
+proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
+proj.setting(:cflags, "#{proj.cppflags}")
+proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
+
+# Platform specific overrides or settings, which may override the defaults
+
+# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
+# stack canary and full RELRO.
+# We only do this on platforms that use their default OS toolchain since pl-gcc versions
+# are too old to support these flags.
+if ((platform.is_sles? && platform.os_version.to_i >= 15) ||
+    (platform.is_el? && platform.os_version.to_i >= 8) ||
+    platform.is_debian? ||
+    (platform.is_ubuntu? && platform.os_version.to_i >= 20) ||
+    platform.is_fedora?
+   )
+  proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
+  proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
+  proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
+end
diff --git a/configs/projects/_shared-pe-bolt-server_with_ruby.rb b/configs/projects/_shared-pe-bolt-server_with_ruby.rb
index b04ece7a2..7cd2b9baf 100644
--- a/configs/projects/_shared-pe-bolt-server_with_ruby.rb
+++ b/configs/projects/_shared-pe-bolt-server_with_ruby.rb
@@ -75,23 +75,8 @@
 ruby_base_version = proj.ruby_version.gsub(/(\d+)\.(\d+)\.(\d+)/, '\1.\2.0')
 proj.setting(:gem_home, File.join(proj.libdir, 'ruby', 'gems', ruby_base_version))
 
-# Define default CFLAGS and LDFLAGS for most platforms, and then
-# tweak or adjust them as needed.
-proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-proj.setting(:cflags, "#{proj.cppflags}")
-proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
-
-# Platform specific overrides or settings, which may override the defaults
-
-# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
-# stack canary and full RELRO.
-# We only do this on platforms that use their default OS toolchain since pl-gcc versions
-# are too old to support these flags.
-if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
-  proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
-  proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
-  proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
-end
+# Load default compiler settings
+instance_eval File.read('configs/projects/_shared-compiler-settings.rb')
 
 # Required to build ruby
 proj.component 'libffi'
diff --git a/configs/projects/_shared-pe-installer-runtime.rb b/configs/projects/_shared-pe-installer-runtime.rb
index 84aad245c..7de7575cd 100644
--- a/configs/projects/_shared-pe-installer-runtime.rb
+++ b/configs/projects/_shared-pe-installer-runtime.rb
@@ -31,21 +31,8 @@
 proj.setting(:artifactory_url, "https://artifactory.delivery.puppetlabs.net/artifactory")
 proj.setting(:buildsources_url, "#{proj.artifactory_url}/generic/buildsources")
 
-# Define default CFLAGS and LDFLAGS for most platforms, and then
-# tweak or adjust them as needed.
-proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-proj.setting(:cflags, "#{proj.cppflags}")
-proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
-
-# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
-# stack canary and full RELRO.
-# We only do this on platforms that use their default OS toolchain since pl-gcc versions
-# are too old to support these flags.
-if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
-  proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
-  proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
-  proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
-end
+# Load default compiler settings
+instance_eval File.read('configs/projects/_shared-compiler-settings.rb')
 
 # These flags are applied in addition to the defaults in configs/component/openssl.rb.
 proj.setting(:openssl_extra_configure_flags, [
diff --git a/configs/projects/bolt-runtime.rb b/configs/projects/bolt-runtime.rb
index 80a89d829..7ba2e4b9a 100644
--- a/configs/projects/bolt-runtime.rb
+++ b/configs/projects/bolt-runtime.rb
@@ -66,21 +66,8 @@
   proj.setting(:artifactory_url, "https://artifactory.delivery.puppetlabs.net/artifactory")
   proj.setting(:buildsources_url, "#{proj.artifactory_url}/generic/buildsources")
 
-  # Define default CFLAGS and LDFLAGS for most platforms, and then
-  # tweak or adjust them as needed.
-  proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-  proj.setting(:cflags, "#{proj.cppflags}")
-  proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
-
-  # Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
-  # stack canary and full RELRO.
-  # We only do this on platforms that use their default OS toolchain since pl-gcc versions
-  # are too old to support these flags.
-  if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
-    proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
-    proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
-    proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
-  end
+  # Load default compiler settings
+  instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-compiler-settings.rb'))
 
   # Platform specific overrides or settings, which may override the defaults
   if platform.is_windows?
diff --git a/configs/projects/pdk-runtime.rb b/configs/projects/pdk-runtime.rb
index b816bf13e..b6b3a707e 100644
--- a/configs/projects/pdk-runtime.rb
+++ b/configs/projects/pdk-runtime.rb
@@ -111,21 +111,8 @@
     proj.setting(:host, "--host #{platform.platform_triple}")
   end
 
-  # Define default CFLAGS and LDFLAGS for most platforms, and then
-  # tweak or adjust them as needed.
-  proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-  proj.setting(:cflags, proj.cppflags.to_s)
-  proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
-
-  # Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
-  # stack canary and full RELRO.
-  # We only do this on platforms that use their default OS toolchain since pl-gcc versions
-  # are too old to support these flags.
-  if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
-    proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
-    proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
-    proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
-  end
+  # Load default compiler settings
+  instance_eval File.read(File.join(File.dirname(__FILE__), '_shared-compiler-settings.rb'))
 
   if platform.is_windows?
     proj.setting(:gcc_root, 'C:/tools/mingw64')

From 9711f01b7e7de00b0c1fb7938a1f1ba43ce14655 Mon Sep 17 00:00:00 2001
From: Jeffrey Clark <h0tw1r3@users.noreply.github.com>
Date: Thu, 18 Apr 2024 10:05:23 -0500
Subject: [PATCH 5/8] (PA-6383) add PIE flags to amazon 2023 platform

---
 configs/projects/_shared-compiler-settings.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/configs/projects/_shared-compiler-settings.rb b/configs/projects/_shared-compiler-settings.rb
index 102622e8f..7d1c834ec 100644
--- a/configs/projects/_shared-compiler-settings.rb
+++ b/configs/projects/_shared-compiler-settings.rb
@@ -14,6 +14,7 @@
     (platform.is_el? && platform.os_version.to_i >= 8) ||
     platform.is_debian? ||
     (platform.is_ubuntu? && platform.os_version.to_i >= 20) ||
+    (platform.is_amazon? && platform.os_version.to_i >= 2023) ||
     platform.is_fedora?
    )
   proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")

From ac05640fbee4c6500092f2a9a7b1fdda394f1274 Mon Sep 17 00:00:00 2001
From: Jeffrey Clark <h0tw1r3@users.noreply.github.com>
Date: Wed, 24 Apr 2024 09:45:07 -0500
Subject: [PATCH 6/8] (PA-6383) record gcc switches for object comparison

---
 configs/projects/_shared-compiler-settings.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configs/projects/_shared-compiler-settings.rb b/configs/projects/_shared-compiler-settings.rb
index 7d1c834ec..e692da90b 100644
--- a/configs/projects/_shared-compiler-settings.rb
+++ b/configs/projects/_shared-compiler-settings.rb
@@ -1,7 +1,7 @@
 # Define default CFLAGS and LDFLAGS for most platforms, and then
 # tweak or adjust them as needed.
 proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-proj.setting(:cflags, "#{proj.cppflags}")
+proj.setting(:cflags, "-frecord-gcc-switches #{proj.cppflags}")
 proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
 
 # Platform specific overrides or settings, which may override the defaults
@@ -18,6 +18,6 @@
     platform.is_fedora?
    )
   proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
-  proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
+  proj.setting(:cflags, '-frecord-gcc-switches -fstack-protector-strong -fno-plt -O2')
   proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
 end

From 4ff870e756b0da3ebdd4a17d75c47dcb7fdcd3b1 Mon Sep 17 00:00:00 2001
From: Jeffrey Clark <h0tw1r3@users.noreply.github.com>
Date: Wed, 24 Apr 2024 12:29:40 -0500
Subject: [PATCH 7/8] (PA-6383) build ruby and gems with PIE flags

---
 configs/components/_base-ruby.rb |  3 +++
 configs/components/ruby-2.7.8.rb | 10 +++++++++-
 configs/components/ruby-3.2.3.rb | 10 +++++++++-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/configs/components/_base-ruby.rb b/configs/components/_base-ruby.rb
index 1f9cd82dd..f302a7d53 100644
--- a/configs/components/_base-ruby.rb
+++ b/configs/components/_base-ruby.rb
@@ -76,6 +76,9 @@
   elsif platform.architecture == 'arm64' && platform.os_version.to_i >= 13
     pkg.environment 'CC', 'clang'
   end
+else
+  pkg.environment 'LDFLAGS', settings[:ldflags]
+  pkg.environment 'optflags', settings[:cflags]
 end
 
 ####################
diff --git a/configs/components/ruby-2.7.8.rb b/configs/components/ruby-2.7.8.rb
index 73936bd9b..5e5e71cf9 100644
--- a/configs/components/ruby-2.7.8.rb
+++ b/configs/components/ruby-2.7.8.rb
@@ -98,7 +98,15 @@
 
   special_flags = " --prefix=#{ruby_dir} --with-opt-dir=#{settings[:prefix]} "
 
-  if platform.name =~ /sles-15|el-8|debian-10/
+  # conditional taken from projects/_shared-compiler-settings
+  # TODO: refactor condition
+  if ((platform.is_sles? && platform.os_version.to_i >= 15) ||
+      (platform.is_el? && platform.os_version.to_i >= 8) ||
+      platform.is_debian? ||
+      (platform.is_ubuntu? && platform.os_version.to_i >= 20) ||
+      (platform.is_amazon? && platform.os_version.to_i >= 2023) ||
+      platform.is_fedora?
+     )
     special_flags += " CFLAGS='#{settings[:cflags]}' LDFLAGS='#{settings[:ldflags]}' CPPFLAGS='#{settings[:cppflags]}' "
   end
 
diff --git a/configs/components/ruby-3.2.3.rb b/configs/components/ruby-3.2.3.rb
index b7e4a69df..9b29cb214 100644
--- a/configs/components/ruby-3.2.3.rb
+++ b/configs/components/ruby-3.2.3.rb
@@ -93,7 +93,15 @@
 
   special_flags = " --prefix=#{ruby_dir} --with-opt-dir=#{settings[:prefix]} "
 
-  if platform.name =~ /sles-15|el-8|debian-10/
+  # conditional taken from projects/_shared-compiler-settings
+  # TODO: refactor condition
+  if ((platform.is_sles? && platform.os_version.to_i >= 15) ||
+      (platform.is_el? && platform.os_version.to_i >= 8) ||
+      platform.is_debian? ||
+      (platform.is_ubuntu? && platform.os_version.to_i >= 20) ||
+      (platform.is_amazon? && platform.os_version.to_i >= 2023) ||
+      platform.is_fedora?
+     )
     special_flags += " CFLAGS='#{settings[:cflags]}' LDFLAGS='#{settings[:ldflags]}' CPPFLAGS='#{settings[:cppflags]}' "
   end
 

From 36f15ad19647ee90aa0b6da37eb0fb70981ba5f2 Mon Sep 17 00:00:00 2001
From: Jeffrey Clark <h0tw1r3@users.noreply.github.com>
Date: Wed, 24 Apr 2024 12:30:34 -0500
Subject: [PATCH 8/8] (PA-6383) build augeas and libedit with shared compiler
 settings

---
 configs/components/augeas.rb  | 10 +++++++++-
 configs/components/libedit.rb |  5 ++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/configs/components/augeas.rb b/configs/components/augeas.rb
index 72cffa9bc..1a40a8175 100644
--- a/configs/components/augeas.rb
+++ b/configs/components/augeas.rb
@@ -125,7 +125,15 @@
     end
   end
 
-  if platform.name =~ /sles-15|el-8|debian-10/ || platform.is_fedora?
+  # conditional taken from projects/_shared-compiler-settings
+  # TODO: refactor condition
+  if ((platform.is_sles? && platform.os_version.to_i >= 15) ||
+      (platform.is_el? && platform.os_version.to_i >= 8) ||
+      platform.is_debian? ||
+      (platform.is_ubuntu? && platform.os_version.to_i >= 20) ||
+      (platform.is_amazon? && platform.os_version.to_i >= 2023) ||
+      platform.is_fedora?
+     )
     pkg.environment 'CFLAGS', settings[:cflags]
     pkg.environment 'CPPFLAGS', settings[:cppflags]
     pkg.environment "LDFLAGS", settings[:ldflags]
diff --git a/configs/components/libedit.rb b/configs/components/libedit.rb
index 61f47c764..1bf04591c 100644
--- a/configs/components/libedit.rb
+++ b/configs/components/libedit.rb
@@ -11,9 +11,8 @@
   elsif platform.is_aix?
     pkg.environment "CC", "/opt/pl-build-tools/bin/gcc"
     pkg.environment "LDFLAGS", settings[:ldflags]
-  end
-
-  if platform.is_macos?
+  else
+    pkg.environment "LDFLAGS", settings[:ldflags]
     pkg.environment "CFLAGS", settings[:cflags]
   end