On Thu, Jun 23, 2011 at 10:54 AM, Richard W.M. Jones <rjones@xxxxxxxxxx> wrote: > On Wed, Jun 22, 2011 at 03:57:58PM -0400, Adam Jackson wrote: >> * #563 suggested policy: all daemons must set RELRO and PIE flags >> (ajax, 17:53:41) >> * LINK: https://fedorahosted.org/fpc/ticket/93 (nirik, 17:54:34) >> * ACTION: nirik to come up with guidelines for next week (ajax, >> 18:07:03) >> * ACTION: ajax to add relro to redhat-rpm-config (ajax, 18:07:16) > > The discussion in the ticket seems like it would only apply to > programs written in C/C++, but it doesn't say this. > > Since other languages are usually much safer than C/C++ and the aim of > this is security, it seems like we should explicitly exclude other > languages from the requirement. As long as there is a single exploitable module in the address space (and there pretty much always is - libc or the language runtime), having relro for all modules helps. Anyway, redhat-rpm-config will probably set gcc flags, which excludes other languages automatically - and I don't think this is really a good thing. Mirek -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
