[Fedora-packaging] RFC mass bug reporting: checksec failures
Dominik 'Rathann' Mierzejewski
dominik at greysector.net
Sat Sep 12 05:48:01 UTC 2015
On Friday, 11 September 2015 at 13:50, Alexander Todorov wrote:
> Hello folks,
> I'm looking at this feature:
>
> https://fedoraproject.org/wiki/Changes/Harden_All_Packages
>
> <quote>
> How To Test
>
> Running checksec should always report only
>
> Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH
>
> otherwise a tracking bug should exist for the respective packages
> </quote>
>
>
> On a current Rawhide installation I'm seeing lots of potential failures, for
> example:
>
> Partial RELRO Canary found NX enabled No PIE No RPATH
> No RUNPATH
>
>
> Question is how to deal with these because they appear to be in the hundreds ?
How many, exactly? We have around 20000 SRPMs in the distribution.
> I will do my best to filter out any false negatives and group the results
> per package but this still leaves quite a big number of bugs to report.
>
> How do you feel about reporting all of these offences automatically ? Are
> there any known exceptions which should be mentioned in the wiki page above
> ?
Some RPATHs are acceptable, in general: %{_libdir}/foo. See
https://fedoraproject.org/wiki/Packaging:Guidelines#Rpath_for_Internal_Libraries
Regards,
Dominik
--
Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org
"Faith manages."
-- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"
More information about the packaging
mailing list