Le mardi 14 février 2012, à 10:54 +0100, Marcus Meissner a écrit :
On Tue, Feb 14, 2012 at 10:40:13AM +0100, Vincent Untz wrote:
Le lundi 30 janvier 2012, à 16:12 +0100, Ludwig Nussel a écrit :
Ludwig Nussel wrote:
The following packages in Factory have setuid binaries that are not compiled with position independent code according to rpmlint. I'd like to make the check (non-position-independent-executable ) fatal on March 1st. I'll also file bugs for the individual packages.
JFYI, tracker bug is here: https://bugzilla.novell.com/showdependencytree.cgi?id=744091
I'm really not fond of the way we're approaching this: we're just patching all packages. This is not a good long term solution (patches will have to be rebased, people might remove the patches because they don't understand what they're for, etc.) and this is not scalable.
Those patches should of course get sent upstream, with autoconf wrappers when necessary.
Usual distro work and it should scale...
But I've not seen any of them getting sent upstream. And in some cases, like dbus-1, we just change CFLAGS and LDFLAGS, which is not even upstreamable.
Can't we do something a little bit better? I see that Debian has this, for instance: http://wiki.debian.org/Hardening http://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_PIE_.28gcc.2BAC8-g.2B-....
I feel that having a wrapper like they do is a much cleaner solution in the end. Is this something we could take inspiration from?
They have the same concerns like you voiced above...
I beg to disagree: - no need to rebase patches - seeing such a flag/wrapper in a package is much clearer than seeing "-fpie" (which most people won't understand once this thread will be forgotten) - easy to add to a package
We can change the defaults for the whole distro of course.
ld -z relro is btw already default,
Hmm, wonder if special .spec file things like debian does there are the way to go.
I'm not saying we should do everything that is on the Debian wiki page. I'm just suggesting that we add a similar mechanism. An alternative approach, that I suggested earlier, is to fix the autotools to provide a --with-pie (since it already provides --with-pic). And then everyone benefits from this. Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org