[Bug 1294568] Review Request: libmtp11 - A software library for MTP media players

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



https://bugzilla.redhat.com/show_bug.cgi?id=1294568



--- Comment #4 from Robert Scheck <redhat-bugzilla@xxxxxxxxxxxx> ---
(In reply to Antonio Trande from comment #3)
> Full RELRO and PIE (http://fedoraproject.org/wiki/Packaging:Guidelines#PIE)
> issue are part of packaging guidelines, I don't understand why EPEL
> packagers should choice what they follow or not.
> Also, we are talking of security issues important for EPEL too, or not?

RHEL 6 doesn't support the %_hardened_build macro. Additionally, even the
base operating system dependencies of libmtp do not have full relro - why
would it make sense for a single relatively unimportant library on top? I
also looked to other EPEL packages...this is usually not manually done. So
why is this here expected? I get "security", but the impact is relatively
low from my point of view (libmtp is not used by a network daemon AFAIK).

Check for full relro for libmtp dependencies:
readelf -l /usr/lib*/libusb-0.1.so.4 | grep -c GNU_RELRO
readelf -d /usr/lib*/libusb-0.1.so.4 | grep -c BIND_NOW
readelf -l /lib*/libgcrypt.so.11 | grep -c GNU_RELRO
readelf -d /lib*/libgcrypt.so.11 | grep -c BIND_NOW

If you still insist on full relro for EPEL 6 for libmtp11, let me know and I
will add: export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}"

-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are always notified about changes to this product and component
_______________________________________________
package-review mailing list
package-review@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/package-review




[Index of Archives]     [Fedora Legacy]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]