[Fedora-packaging] RFC mass bug reporting: checksec failures

Richard W.M. Jones rjones at redhat.com
Thu Sep 17 09:26:54 UTC 2015 

On Thu, Sep 17, 2015 at 11:27:36AM +0300, Alexander Todorov wrote:
> На 16.09.2015 в 22:59, Richard W.M. Jones написа:
> >The majority of the packages of mine on this list fall into
> >three groups:
> >
> >  - erlang packages
> >
> >  - mingw packages
> >
> >  - ocaml packages
> >
> >I'm pretty sure mingw packages should all be excluded.  Who knows what
> >Windows uses (and who cares).
> >
> 
> Hi Richard,
> please correct me if I'm wrong but aren't these mingw* packages
> supposed to facilitate development of Windows applications on Linux
> ? IOW they are supposed to be working on Linux. As such I'd say they
> should also be hardened, but this is probably a low priority item.

Actually yes that's correct.  For some reason I thought it was looking
at the Windows DLLs, but it's looking at the native Linux binaries.

> >For OCaml, I think you should ignore anything under %{libdir}/ocaml/
> >since those are development files.  (Their contents may eventually end
> >up in a binary, but we can worry about that when we see the binary).
> >That removes most of the failures.
> >
> 
> As far as I can see most of them report "Partial RELRO" which may
> well be fixed as you propose below. If not I can easily exclude
> them.

They're intermediate files used by developers.  They aren't runnable
binaries.  I think everything in %{libdir}/ocaml should be ignored.

> >For OCaml binaries, it seems as if most of them are like this:
> >
> >   Partial RELRO   Canary found   NX enabled  No PIE   No RPATH  No RUNPATH  ./usr/bin/ocamlc.opt
> >
> >As far as I understand it, the only problems there are "Partial RELRO"
> >which should in an ideal world be "Full RELRO"; and "No PIE".
> >
> >I guess we can fix the RELRO problem by linking with -z now.  It may
> >require a compiler patch.
> >
> 
> Please post a link if you file a bug upstream.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW

More information about the devel mailing list