Steve Grubb wrote: > On Tuesday, August 09, 2011 07:51:07 AM Matthew Garrett wrote: > >> On Mon, Aug 08, 2011 at 11:16:12PM -0400, Steve Grubb wrote: >> >>> This list is woefully incomplete. I would advocate a much larger list. >>> For example, sudo is a very important program that we make security >>> claims about. It is not on that list. >>> >> Because it's SUID. >> > > ? Its one in the target group. > > > >>> I think there should have been some discussion about this on the FESCO >>> request I submitted. I have some concerns about what was implemented. >>> Are there bz filed for this or more discussion about it somewhere? >>> >> We spent weeks discussing this. Where were you during the meetings? >> > > Taking RHEL6 through common criteria and FIPS-140, filing dozens of security > bugs after studying some problems and sending patches. I am monitoring the > FESCO ticket, but I don't monitor fedora-devel all the time because there are > way too many arguments for my taste. Regardless, should there not have been > some hint about anything on the ticket? I responded to any review request for > the wiki page and such. > > My main concern is that the macro will be misapplied and overall performance > will take a hit. I don't know how a macro can tell the intent of an > application as it links it. The macro can't, but the maintainer can. The maintainer is presumably capable of, and responsible for, assessing whether her package would be a good candidate for this, and if so, testing builds done with the macro. Then if, performance is fine, on it goes. If performance sucks, it doesn't. -J > There has not been a chmod so that it knows this > is setuid and needs more protection. For example, if coreutils was built with > this (and coreutils seems to be correct as is) because it has setuid programs, > then would all apps get the PIE/Full RELRO treatment? If so, many of coreutils > apps are called constantly by shell scripts. If this were used on tcpdump, > would full relro leak to the libpcap? I suppose I could test this as soon as I > set up a rawhide vm...but this is what concerns me about the approach. > > -Steve > -- in your fear, seek only peace in your fear, seek only love -d. bowie -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
