On Friday, 11 September 2015 at 13:50, Alexander Todorov wrote:
Hello folks,
I'm looking at this feature:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages
<quote>
How To Test
Running checksec should always report only
Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH
otherwise a tracking bug should exist for the respective packages
</quote>
On a current Rawhide installation I'm seeing lots of potential failures, for
example:
Partial RELRO Canary found NX enabled No PIE No RPATH
No RUNPATH
Question is how to deal with these because they appear to be in the hundreds ?
How many, exactly? We have around 20000 SRPMs in the distribution.
I will do my best to filter out any false negatives and group the
results
per package but this still leaves quite a big number of bugs to report.
How do you feel about reporting all of these offences automatically ? Are
there any known exceptions which should be mentioned in the wiki page above
?
Some RPATHs are acceptable, in general: %{_libdir}/foo. See
https://fedoraproject.org/wiki/Packaging:Guidelines#Rpath_for_Internal_Li...
Regards,
Dominik
--
Fedora
http://fedoraproject.org/wiki/User:Rathann
RPMFusion
http://rpmfusion.org
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"