On Mon, Feb 6, 2012 at 5:35 PM, Ricky Zhou <ricky@xxxxxxxxxxxxxxxxx> wrote: > On 2012-02-06 11:59:53 AM, Bill Nottingham wrote: >> Stephen John Smoogen (smooge@xxxxxxxxx) said: >> > > > Discussion from irc today pointed out the..... difficulty with our >> > > > security with prelink running on our systems. >> >> Is this a general issue that should be pushed up the stack? > I think the "difficulty with our security" bit was referring to some > weirdness which caused issues with the needs-restarting utility. > However, I do have other reasons for questioning the need for prelink in > Fedora in general. > > My main issue is that with prelink enabled, non-PIE binaries essentially > have library address randomization disabled (they are still randomized > every 2 weeks when prelink runs, but the addresses stay the same in > between). This makes many types of security bugs far easier to exploit > on Fedora than on distros without prelink. > > One argument against this point is that we should just enable PIE on > apps which are security-sensitive, or which are likely to be exploited. > While I definitely don't disagree with this point, I think we're very > far from having that happen, and in addition, doing so would cause us to > lose many of the speedups that prelink is supposed to give (progams > which need to handle a lot of potentially untrusted inputs, like > openoffice, should then have PIE enabled). > > With all this in mind, I'd definitely be interested in seeing a > discussion about whether prelink should stay enabled by default on > Fedora. > > Thanks, > Ricky > > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/infrastructure also 80% + packages from rpmfusion uses prelink. -- ------------ Itamar Reis Peixoto msn, google talk: itamar@xxxxxxxxxxxxxxxx +55 11 4063 5033 (FIXO SP) +55 34 9158 9329 (TIM) +55 34 8806 3989 (OI) +55 34 3221 8599 (FIXO MG) _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
