On current unstable, libreswan compiles but then doesn't run because of an ABI
change in NSS.
There is an easy fix which is to land in the next version of libreswan, see
https://github.com/libreswan/libreswan/issues/334; in the meantime, we can copy
this fix so that libreswan works again on unstable.
LLD: https://lld.llvm.org/
When you link a large program on a multicore machine, you can expect that LLD runs more than twice as fast as the GNU gold linker. Your mileage may vary, though.
Link-time optimization (LTO) is supported by default.
Some default settings have been tuned for the 21st century. For example, the stack is marked as non-executable by default to tighten security.
LTO & ThinLTO: https://clang.llvm.org/docs/ThinLTO.html
LTO (Link Time Optimization) achieves better runtime performance through whole-program analysis and cross-module optimization. However, monolithic LTO implements this by merging all input into a single module, which is not scalable in time or memory, and also prevents fast incremental compiles. ThinLTO is a new approach that is designed to scale like a non-LTO build, while retaining most of the performance achievement of full LTO.
PGO: https://llvm.org/docs/HowToBuildWithPGO.htmlhttps://blog.chromium.org/2020/08/chrome-just-got-faster-with-profile.html
Allows your compiler to better optimize code for how it actually runs. Users report that applying this to Clang and LLVM can decrease overall compile time by 20%.
Because PGO uses real usage scenarios that match the workflows of Chrome users around the world, the most common tasks get prioritized and made faster. Delivers up to 10% faster page loads.
CFI: https://clang.llvm.org/docs/ControlFlowIntegrity.htmlhttps://www.chromium.org/developers/testing/control-flow-integrity
Aborts the program upon detecting certain forms of undefined behavior that can potentially allow attackers to subvert the program’s control flow. These schemes have been optimized for performance, allowing developers to enable them in release builds.
By default, a program compiled with CFI will crash with SIGILL if it detects a CFI violation.
Additionally:
Use minizip instead of zlib. Chromium says zlib but actually uses minizip.
Remove old unused workarounds.
Make shell scripts POSIX compliant.
Update documentation URLs.
Prepare for using system libraries.
parallel >= 20200822 uses /bin/echo to calculate the max allowed line
length. Patch it to a correct path, so that it doesn't (silently) fail
and fall back to a low value of 324.
Before:
$ parallel --max-line-length-allowed
324
After:
$ parallel --max-line-length-allowed
131063
Fixes: 16ca8725ff ("parallel: 20200722 -> 20200822")
Nginx fails to start, because it can't read the certificate file. This
happens because PrivateTmp is set for the service, which makes the
system wide /tmp inaccessible.