= Proposed System Wide Change: Harden all packages with position-independent
code =
https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-...
Change owner(s): Till Maas <opensource(a)till.name>, Moez Roy
<moez.roy(a)gmail.com>
Harden all packages with position-independent code to limit the damage from
certain security vulnerabilities.
== Detailed Description ==
Currently, the Packaging Guidelines allow maintainers to decide whether their
packages use position-independent code (PIC). There are rules that say that a
lot of packages should use PIC, but in reality a lot of packages do not use
PIC even if they must. Also since a lot of packages if not all potentially
process untrusted input, it makes sense for these packages to use PIC to
enhance the security of Fedora. Therefore I propose to build all packages with
PIC by changing RPM to use the appropriate flags by default.
References:
*
https://fedorahosted.org/rel-eng/ticket/6049
* There should be several mails about this on the devel list
== Scope ==
* Proposal owners:
Help writing the new packaging guidelines.
* Other developers:
Change the rpm macros to build packages by default with PIC/PIE flags (i.e. set
_hardened_package to 1 by default).
* Release engineering:
Do a mass rebuild for all arch packages
* Policies and guidelines:
Adjust the Packaging Guidelines to allow non-PIC packages only if the package
is not working otherwise and require a tracker bug similar to packages not
working on certain archs. Update the Guidelines to reflect the new defaults.