F22 System Wide Change: Harden all packages with position-independent code
jreznik at redhat.com
Wed Jan 7 11:41:32 UTC 2015
= Proposed System Wide Change: Harden all packages with position-independent
Change owner(s): Till Maas <opensource at till.name>, Moez Roy
<moez.roy at gmail.com>
Harden all packages with position-independent code to limit the damage from
certain security vulnerabilities.
== Detailed Description ==
Currently, the Packaging Guidelines allow maintainers to decide whether their
packages use position-independent code (PIC). There are rules that say that a
lot of packages should use PIC, but in reality a lot of packages do not use
PIC even if they must. Also since a lot of packages if not all potentially
process untrusted input, it makes sense for these packages to use PIC to
enhance the security of Fedora. Therefore I propose to build all packages with
PIC by changing RPM to use the appropriate flags by default.
* There should be several mails about this on the devel list
== Scope ==
* Proposal owners:
Help writing the new packaging guidelines.
* Other developers:
Change the rpm macros to build packages by default with PIC/PIE flags (i.e. set
_hardened_package to 1 by default).
* Release engineering:
Do a mass rebuild for all arch packages
* Policies and guidelines:
Adjust the Packaging Guidelines to allow non-PIC packages only if the package
is not working otherwise and require a tracker bug similar to packages not
working on certain archs. Update the Guidelines to reflect the new defaults.
devel-announce mailing list
devel-announce at lists.fedoraproject.org
More information about the devel