F22 System Wide Change: Harden all packages with position-independent code
Josh Boyer
jwboyer at fedoraproject.org
Wed Jan 7 13:30:03 UTC 2015
On Wed, Jan 7, 2015 at 6:41 AM, Jaroslav Reznik <jreznik at redhat.com> wrote:
> = Proposed System Wide Change: Harden all packages with position-independent
> code =
> https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
>
> Change owner(s): Till Maas <opensource at till.name>, Moez Roy
> <moez.roy at gmail.com>
>
> Harden all packages with position-independent code to limit the damage from
> certain security vulnerabilities.
>
> == Detailed Description ==
> Currently, the Packaging Guidelines allow maintainers to decide whether their
> packages use position-independent code (PIC). There are rules that say that a
> lot of packages should use PIC, but in reality a lot of packages do not use
> PIC even if they must. Also since a lot of packages if not all potentially
> process untrusted input, it makes sense for these packages to use PIC to
> enhance the security of Fedora. Therefore I propose to build all packages with
> PIC by changing RPM to use the appropriate flags by default.
>
> References:
> * https://fedorahosted.org/rel-eng/ticket/6049
> * There should be several mails about this on the devel list
We just went over something very much like this for x86_64 packages
with FESCo ticket 1113:
https://fedorahosted.org/fesco/ticket/1113
Could you perhaps review that and elaborate on the differences between
that proposal and this one if there are any? Additionally, could you
cover any of the concerns listed there that apply to this proposal?
josh
More information about the devel
mailing list