F22 System Wide Change: Harden all packages with position-independent code

Jaroslav Reznik jreznik at redhat.com
Wed Jan 7 11:41:32 UTC 2015

= Proposed System Wide Change: Harden all packages with position-independent 
code =

Change owner(s): Till Maas <opensource at till.name>, Moez Roy 
<moez.roy at gmail.com>

Harden all packages with position-independent code to limit the damage from 
certain security vulnerabilities. 

== Detailed Description ==
Currently, the Packaging Guidelines allow maintainers to decide whether their 
packages use position-independent code (PIC). There are rules that say that a 
lot of packages should use PIC, but in reality a lot of packages do not use 
PIC even if they must. Also since a lot of packages if not all potentially 
process untrusted input, it makes sense for these packages to use PIC to 
enhance the security of Fedora. Therefore I propose to build all packages with 
PIC by changing RPM to use the appropriate flags by default.

* https://fedorahosted.org/rel-eng/ticket/6049
* There should be several mails about this on the devel list 

== Scope ==
* Proposal owners:
Help writing the new packaging guidelines.

* Other developers:
Change the rpm macros to build packages by default with PIC/PIE flags (i.e. set 
_hardened_package to 1 by default).

* Release engineering:
Do a mass rebuild for all arch packages

* Policies and guidelines:
Adjust the Packaging Guidelines to allow non-PIC packages only if the package 
is not working otherwise and require a tracker bug similar to packages not 
working on certain archs. Update the Guidelines to reflect the new defaults.

devel-announce mailing list
devel-announce at lists.fedoraproject.org

More information about the devel mailing list