diff --git a/pkg/fortify-headers/build b/pkg/fortify-headers/build
new file mode 100755
index 0000000..b23dbf7
--- /dev/null
+++ b/pkg/fortify-headers/build
@@ -0,0 +1,24 @@
+VERSION="1.0"
+SRCDIR="fortify-headers-$VERSION"
+TARBALL="$SRCDIR.tar.xz"
+URL="http://infraroot.at/pygos"
+SHA256SUM="992af871941317b75b5520485111da14dd1b785dcb45de86244b1f6476182696"
+DEPENDS="linux_headers"
+
+prepare() {
+ return
+}
+
+build() {
+ return
+}
+
+deploy() {
+ make -C "$1" PREFIX="" DESTDIR="$2" install
+}
+
+check_update() {
+ curl --silent -L "http://git.2f30.org/fortify-headers/refs.html" | \
+ grep -o "
[0-9.]\+ | " | grep -o "[0-9.]*" | \
+ verson_find_greatest "$VERSION"
+}
diff --git a/pkg/musl/build b/pkg/musl/build
index 887296c..4461704 100755
--- a/pkg/musl/build
+++ b/pkg/musl/build
@@ -3,7 +3,7 @@ SRCDIR="musl-$VERSION"
TARBALL="$SRCDIR.tar.gz"
URL="https://www.musl-libc.org/releases"
SHA256SUM="44be8771d0e6c6b5f82dd15662eb2957c9a3173a19a8b49966ac0542bbd40d61"
-DEPENDS="tc-gcc1 linux_headers"
+DEPENDS="tc-gcc1 linux_headers fortify-headers"
prepare() {
return
diff --git a/pkg/tc-gcc1/0001.patch b/pkg/tc-gcc1/0001.patch
new file mode 100644
index 0000000..4f7712c
--- /dev/null
+++ b/pkg/tc-gcc1/0001.patch
@@ -0,0 +1,13 @@
+diff --git a/gcc/config/linux.h b/gcc/config/linux.h
+index 2ea4ff9..e10e0a5 100644
+--- a/gcc/config/linux.h
++++ b/gcc/config/linux.h
+@@ -154,6 +154,8 @@ see the files COPYING3 and COPYING.RUNTIME respectively. If not, see
+
+ #ifdef NATIVE_SYSTEM_HEADER_DIR
+ #define INCLUDE_DEFAULTS_MUSL_NATIVE \
++ { NATIVE_SYSTEM_HEADER_DIR "/fortify", 0, 0, 0, 1, 2 }, \
++ { NATIVE_SYSTEM_HEADER_DIR "/fortify", 0, 0, 0, 1, 0 }, \
+ { NATIVE_SYSTEM_HEADER_DIR, 0, 0, 0, 1, 2 }, \
+ { NATIVE_SYSTEM_HEADER_DIR, 0, 0, 0, 1, 0 },
+ #else
diff --git a/pkg/tc-gcc1/0002.patch b/pkg/tc-gcc1/0002.patch
new file mode 100644
index 0000000..7ee9077
--- /dev/null
+++ b/pkg/tc-gcc1/0002.patch
@@ -0,0 +1,14 @@
+diff --git a/gcc/c-family/c-cppbuiltin.c b/gcc/c-family/c-cppbuiltin.c
+index 3fc4fa9..2c502be 100644
+--- a/gcc/c-family/c-cppbuiltin.c
++++ b/gcc/c-family/c-cppbuiltin.c
+@@ -1342,6 +1342,9 @@ c_cpp_builtins (cpp_reader *pfile)
+ builtin_define_with_value ("__REGISTER_PREFIX__", REGISTER_PREFIX, 0);
+ builtin_define_with_value ("__USER_LABEL_PREFIX__", user_label_prefix, 0);
+
++ /* Fortify Source enabled by default w/optimization. */
++ cpp_define (pfile, "_FORTIFY_SOURCE=((defined __OPTIMIZE__ && __OPTIMIZE__ > 0) ? 2 : 0)");
++
+ /* Misc. */
+ if (flag_gnu89_inline)
+ cpp_define (pfile, "__GNUC_GNU_INLINE__");
diff --git a/pkg/tc-gcc1/build b/pkg/tc-gcc1/build
index ef947f1..812d779 100755
--- a/pkg/tc-gcc1/build
+++ b/pkg/tc-gcc1/build
@@ -3,9 +3,11 @@ SRCDIR="gcc-$VERSION"
TARBALL="gcc-$VERSION.tar.xz"
URL="http://ftp.gnu.org/gnu/gcc/gcc-$VERSION"
SHA256SUM="196c3c04ba2613f893283977e6011b2345d1cd1af9abeac58e916b1aab3e0080"
-DEPENDS="tc-binutils tc-cloog tc-gmp tc-isl tc-mpc tc-mpfr linux_headers"
+DEPENDS="tc-binutils tc-cloog tc-gmp tc-isl tc-mpc tc-mpfr linux_headers fortify-headers"
prepare() {
+ apply_patches
+
#
# XXX: if you ever add support for another 64 bit processor,
# you need to patch this.