= Proposed System Wide Change: Harden all packages with position-independent code = https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code Change owner(s): Till Maas <opensource@xxxxxxxxx>, Moez Roy <moez.roy@xxxxxxxxx> Harden all packages with position-independent code to limit the damage from certain security vulnerabilities. == Detailed Description == Currently, the Packaging Guidelines allow maintainers to decide whether their packages use position-independent code (PIC). There are rules that say that a lot of packages should use PIC, but in reality a lot of packages do not use PIC even if they must. Also since a lot of packages if not all potentially process untrusted input, it makes sense for these packages to use PIC to enhance the security of Fedora. Therefore I propose to build all packages with PIC by changing RPM to use the appropriate flags by default. References: * https://fedorahosted.org/rel-eng/ticket/6049 * There should be several mails about this on the devel list == Scope == * Proposal owners: Help writing the new packaging guidelines. * Other developers: Change the rpm macros to build packages by default with PIC/PIE flags (i.e. set _hardened_package to 1 by default). * Release engineering: Do a mass rebuild for all arch packages * Policies and guidelines: Adjust the Packaging Guidelines to allow non-PIC packages only if the package is not working otherwise and require a tracker bug similar to packages not working on certain archs. Update the Guidelines to reflect the new defaults. _______________________________________________ devel-announce mailing list devel-announce@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel-announce -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
