-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, 2020-06-05 at 13:53 -0600, Jeff Law wrote: > > On 05/06/20 10:26 +0200, Igor Raits wrote: > > ... > > > Well, upstreams are not necessarily enabling many security > > > features > > > or > > > optimizations. So you are effectively saying "upstream knows > > > better" > > > where I would have to disagree with you. > > > > Yes, this is a very good point. > > > > Many of Fedora's packages have upstreams that are not using the > > latest > > compilers, libraries, security features etc. > > > > Just because upstream hasn't been updated to work with compiler > > hardening features doesn't mean we should disable those features. > > Just > > because upstream's code is not portable to more than one compiler > > doesn't mean we shouldn't send them bugs (or better still, > > patches).<> > Right. Though I think the security side of this largely belongs in > redhat-rpm- > config and moving annobin/annocheck into an enforcement role (like > we've done > with RHEL). > > We did this for RHEL and while painful, getting the vast majority of > packages to > honor the flags injection and verification via annobin/annocheck > before the > resultant packages can be included in the distro has been a big win > and enables > us to do a lot of useful things knowing that the flags injection > works well. > > Fedora is behind on this. While most packages honor flags injection, > we don't > actually know which do not (either by accident or design) and we > don't have a way > to easily find them. So things like CET in enforcing mode by > default are going > to be harder to achieve in Fedora than in RHEL. But like so many > things, I don't > have the time to push on something like this for Fedora. Just curious, how is it done in RHEL? Just some kind of CI that analyses all builds or? > Jeff > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx - -- Igor Raits <ignatenkobrain@xxxxxxxxxxxxxxxxx> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEcwgJ58gsbV5f5dMcEV1auJxcHh4FAl7apgkACgkQEV1auJxc Hh5dhxAAk6g0ayGwzp9gg0P7LiNv1bfk9yFKMI/cI9ToFi2D3bzOCMomvorDui15 EbRZ+YeBB0aMt8OFMKDFwrLpL6dz9rfjxUi5XLuuUzvhpWpgfi4hDJSM8wY3vT5q vEKLCUi/pSGTIRkAYWnxmrJh7XaUIhuQS4FOWId0rzx++7ywPXKCcimMEmR5PnfU qVA1ulPsWrMZVQIiAM4EecJtHTlBKS8kVv5LecZmx0kqNeiiXFnBhThpTiM5LJJX xLhDGYWRKLPHCCKTBbi1nmN+AC71rEikQykry6XruiHFJUrimKdRytP3wdio89ox cbMbinZolYyHUo9aqN/Mqz1diIAoJsQhZ47RQY78lVnR5D78hUYzFCxg4dYQJp2r U0eOwe8Pd4lZxnpEt3Cegyn/2BlEViQPZvBLZa1yzJ5wpMapcqwNTYsv/H5h8Cj5 UpVzBT6/wbsJA528cpqpb3xZuR97M39dHJac1gs9UWXQlu4oM32A59nuHQKhVYxn ZCmiyLg7yl96tgvE/ilDZrsVA84CC2GY9yZY7FHEFEO+WAAIVUUwTCIsyJXAmMzR VWxuCv00ho78wT+UROaFBhYbjaSQJyrTgITpKBRD/Pcim7rO1PIisOg1bVZgTlZd xPcHCzjMGJ6idrROlGlgmj0Mqj7x9fUqEsxqlNSd3QO8NF/GPNY= =S+0b -----END PGP SIGNATURE----- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
