F22 System Wide Change: Harden all packages with position-independent code

[Richard W.M. Jones]

On Sat, Jan 10, 2015 at 03:19:28PM +0000, Peter Robinson wrote:
> > On Thu, 2015-01-08 at 08:47 -0500, Paul Wouters wrote:
> >> On Thu, 8 Jan 2015, Dhiru Kholia wrote:
> >>
> >> >> |     Your package accepts/processes untrusted input.
> >> >>
> >> >> This seems to be about every package that I use, because I most if not
> >> >> all tools process untrusted data from the Internet.
> >> >
> >> > +1. This view is rapidly gaining traction and visibility in recent times.
> >>
> >> Can we throw prelink out as well when we do this?
> >
> >
> > Prelink is already gone. We haven't been running it since F19, IIRC.
> 
> It's not completely gone, there's still a number of packages that run
> it as part of the install or build process because I've had to fix
> ppc64le/aarchh64 package builds because we don't have it at all on
> those platforms. I think we also ship it by default.

Note that the prelink package contains a useful utility called
"execstack".  We used to use this on OCaml programs to fix executable
stack flags (but not lately, since I patched the OCaml compiler to do
the right thing).  So you may have seen a dependency on prelink which
wasn't really about prelink.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v