На 16.09.2015 в 22:59, Richard W.M. Jones написа:
The majority of the packages of mine on this list fall into
three groups:
- erlang packages
- mingw packages
- ocaml packages
I'm pretty sure mingw packages should all be excluded. Who knows what
Windows uses (and who cares).
Hi Richard,
please correct me if I'm wrong but aren't these mingw* packages supposed to
facilitate development of Windows applications on Linux ? IOW they are supposed
to be working on Linux. As such I'd say they should also be hardened, but this
is probably a low priority item.
Erlang code generation is an unknown quantity.
So I take this we should treat erlang packages as genuine errors until we know
better.
For OCaml, I think you should ignore anything under %{libdir}/ocaml/
since those are development files. (Their contents may eventually end
up in a binary, but we can worry about that when we see the binary).
That removes most of the failures.
As far as I can see most of them report "Partial RELRO" which may well be fixed
as you propose below. If not I can easily exclude them.
For OCaml binaries, it seems as if most of them are like this:
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH ./usr/bin/ocamlc.opt
As far as I understand it, the only problems there are "Partial RELRO"
which should in an ideal world be "Full RELRO"; and "No PIE".
I guess we can fix the RELRO problem by linking with -z now. It may
require a compiler patch.
Please post a link if you file a bug upstream.
--
Alex
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
