F22 System Wide Change: Harden all packages with position-independent code

Josh Boyer jwboyer at fedoraproject.org
Wed Jan 7 13:30:03 UTC 2015

On Wed, Jan 7, 2015 at 6:41 AM, Jaroslav Reznik <jreznik at redhat.com> wrote:
> = Proposed System Wide Change: Harden all packages with position-independent
> code =
> https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
> Change owner(s): Till Maas <opensource at till.name>, Moez Roy
> <moez.roy at gmail.com>
> Harden all packages with position-independent code to limit the damage from
> certain security vulnerabilities.
> == Detailed Description ==
> Currently, the Packaging Guidelines allow maintainers to decide whether their
> packages use position-independent code (PIC). There are rules that say that a
> lot of packages should use PIC, but in reality a lot of packages do not use
> PIC even if they must. Also since a lot of packages if not all potentially
> process untrusted input, it makes sense for these packages to use PIC to
> enhance the security of Fedora. Therefore I propose to build all packages with
> PIC by changing RPM to use the appropriate flags by default.
> References:
> * https://fedorahosted.org/rel-eng/ticket/6049
> * There should be several mails about this on the devel list

We just went over something very much like this for x86_64 packages
with FESCo ticket 1113:


Could you perhaps review that and elaborate on the differences between
that proposal and this one if there are any?  Additionally, could you
cover any of the concerns listed there that apply to this proposal?


More information about the devel mailing list