<div dir="ltr"><div class="gmail_default" style="font-family:georgia,serif"></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 7, 2015 at 5:30 AM, Josh Boyer <span dir="ltr"><<a href="mailto:jwboyer@fedoraproject.org" target="_blank">jwboyer@fedoraproject.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">
<br>
</span>We just went over something very much like this for x86_64 packages<br>
with FESCo ticket 1113:<br>
<br>
<a href="https://fedorahosted.org/fesco/ticket/1113" target="_blank">https://fedorahosted.org/fesco/ticket/1113</a><br>
<br>
Could you perhaps review that and elaborate on the differences between<br>
that proposal and this one if there are any? Additionally, could you<br>
cover any of the concerns listed there that apply to this proposal?<br>
<span class=""><font color="#888888"><br>
josh<br>
--<br>
devel mailing list<br>
<a href="mailto:devel@lists.fedoraproject.org">devel@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/devel" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/devel</a><br>
Fedora Code of Conduct: <a href="http://fedoraproject.org/code-of-conduct" target="_blank">http://fedoraproject.org/code-of-conduct</a></font></span></blockquote></div><br><div class="gmail_default"><span style="font-family:georgia,serif">Hi Josh,<br><br></span></div><div class="gmail_default"><span style="font-family:georgia,serif">That ticket is over 20 months old. It was discussed at time when Fedora 19 was in beta stage. I believe alot has changed since then.<br><br></span></div><div class="gmail_default"><span style="font-family:georgia,serif">Since Fedora 20 pre-link is already disabled by default.<br><br></span></div><div class="gmail_default"><span style="font-family:georgia,serif">The security landscape has changed. With the major publicity from Heartbleed and ShellShock, I believe more people are now security conscious than before. Hopefully, they will understand the need for compromise in system performance in order to protect the system from being exploited. <br><br>For example: here <a href="http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html">http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html</a> (CVE-2014-8485) it states "Many Linux distributions ship <i>strings</i> without ASLR, making potential attacks easier and more reliable - a situation reminiscent of one of the recent bugs in <i>bash</i>." <br>Which links here: <a href="http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html">http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html</a> (CVE-2014-6277) and (CVE-2014-6278) and states "The issue is also made worse by the fact that only relatively few
distributions were building bash as a position-independent executable
that could be fully protected by ASLR."<br><br></span></div><div class="gmail_default"><span style="font-family:georgia,serif">-Moez<br></span></div><br></div></div>