[Fedora-packaging] RFC mass bug reporting: checksec failures
Alexander Todorov
atodorov at redhat.com
Thu Sep 17 08:27:36 UTC 2015
На 16.09.2015 в 22:59, Richard W.M. Jones написа:
> The majority of the packages of mine on this list fall into
> three groups:
>
> - erlang packages
>
> - mingw packages
>
> - ocaml packages
>
> I'm pretty sure mingw packages should all be excluded. Who knows what
> Windows uses (and who cares).
>
Hi Richard,
please correct me if I'm wrong but aren't these mingw* packages supposed to
facilitate development of Windows applications on Linux ? IOW they are supposed
to be working on Linux. As such I'd say they should also be hardened, but this
is probably a low priority item.
> Erlang code generation is an unknown quantity.
So I take this we should treat erlang packages as genuine errors until we know
better.
>
> For OCaml, I think you should ignore anything under %{libdir}/ocaml/
> since those are development files. (Their contents may eventually end
> up in a binary, but we can worry about that when we see the binary).
> That removes most of the failures.
>
As far as I can see most of them report "Partial RELRO" which may well be fixed
as you propose below. If not I can easily exclude them.
> For OCaml binaries, it seems as if most of them are like this:
>
> Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH ./usr/bin/ocamlc.opt
>
> As far as I understand it, the only problems there are "Partial RELRO"
> which should in an ideal world be "Full RELRO"; and "No PIE".
>
> I guess we can fix the RELRO problem by linking with -z now. It may
> require a compiler patch.
>
Please post a link if you file a bug upstream.
--
Alex
More information about the devel
mailing list