Plan for tomorrow's FESCo meeting (2011-06-21)

Miloslav Trmač mitr at volny.cz
Thu Jun 23 15:11:09 UTC 2011


On Thu, Jun 23, 2011 at 10:54 AM, Richard W.M. Jones <rjones at redhat.com> wrote:
> On Wed, Jun 22, 2011 at 03:57:58PM -0400, Adam Jackson wrote:
>> * #563 suggested policy: all daemons must set RELRO and PIE flags
>>   (ajax, 17:53:41)
>>   * LINK: https://fedorahosted.org/fpc/ticket/93   (nirik, 17:54:34)
>>   * ACTION: nirik to come up with guidelines for next week  (ajax,
>>     18:07:03)
>>   * ACTION: ajax to add relro to redhat-rpm-config  (ajax, 18:07:16)
>
> The discussion in the ticket seems like it would only apply to
> programs written in C/C++, but it doesn't say this.
>
> Since other languages are usually much safer than C/C++ and the aim of
> this is security, it seems like we should explicitly exclude other
> languages from the requirement.

As long as there is a single exploitable module in the address space
(and there pretty much always is - libc or the language runtime),
having relro for all modules helps.

Anyway, redhat-rpm-config will probably set gcc flags, which excludes
other languages automatically - and I don't think this is really a
good thing.
   Mirek


More information about the devel mailing list