Re: F39 Proposal: LIBFFI34 static trampolines (System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 5/8/23 15:50, Aoife Moloney wrote:
https://fedoraproject.org/wiki/Changes/LIBFFI34_static_trampolines

This document represents a proposed Change. As part of the Changes
process, proposals are publicly announced in order to receive
community feedback. This proposal will only be implemented if approved
by the Fedora Engineering Steering Committee.


== Summary ==
Libffi is currently configured to use dynamic trampolines, which
require some source of memory which is both writable and executable.
This is an obvious security issue, and selinux and system defaults
have made it more and more difficult to safely provide this memory to
libffi clients.  With this change, libffi will be configured to use
static trampolines, which do not require such memory, and will not
pose those security and administrative risks.

== Owner ==

* Name: [[User:djdelorie| DJ Delorie]]
* Email: dj@xxxxxxxxxx



== Detailed Description ==
The change itself is simple - libffi will no longer be configured with
--disable-exec-static-tramp, which changes how closures are generated.
Closures, and libffi, are used in many interpreted languages.  There
are about 145 packages that depend, directly or indirectly, on libffi.
I ran the Mass Prebuilder.  Of those 145, 10 already FTBFS, and 1 saw
a new failure.

The Mass PreBuilder has indicated that cjs (_javascript_ Bindings for
Cinnamon) will fail to build with static trampolines.  We debugged
this a bit and noted that cjs's upstream seems to be behind the gjs
upstream (the gjs package builds OK) it tracks, and is missing at
least two closure-related changes (although simply adding those two
changes proved nontrivial).

Are the libffi/rebuilt packages available anywhere for us to experiment with?

We have a reasonably reliable reproducer in Ruby [0] (also included in commit message [1]), but it is not executed as part of test suite,

Moreover, rebuild with current Ruby specfiles won't tell you much as we commented out the tests [2]
to have less flaky builds. I'd recommend uncommenting the lines and run 5 to 10 builds (or just run any of the 2 reproducers).

Regards,
Jarek Prokop

[0] https://bugzilla.redhat.com/show_bug.cgi?id=2040380#c5
[1] https://src.fedoraproject.org/rpms/ruby/c/c2026da1750e6d0cc70c7370a0840628bbbfa965?branch=9e39fd242a58a5ab286d5da0d54130a669c8a9ec
[2] https://src.fedoraproject.org/rpms/ruby/blob/9e39fd242a58a5ab286d5da0d54130a669c8a9ec/f/ruby.spec#_998
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux