https://bugzilla.redhat.com/show_bug.cgi?id=1294568 Antonio Trande <anto.trande@xxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|fedora-review? |fedora-review+ --- Comment #5 from Antonio Trande <anto.trande@xxxxxxxxx> --- (In reply to Robert Scheck from comment #4) > (In reply to Antonio Trande from comment #3) > > Full RELRO and PIE (http://fedoraproject.org/wiki/Packaging:Guidelines#PIE) > > issue are part of packaging guidelines, I don't understand why EPEL > > packagers should choice what they follow or not. > > Also, we are talking of security issues important for EPEL too, or not? > > RHEL 6 doesn't support the %_hardened_build macro. Additionally, even the > base operating system dependencies of libmtp do not have full relro - why > would it make sense for a single relatively unimportant library on top? I > also looked to other EPEL packages...this is usually not manually done. So > why is this here expected? I get "security", but the impact is relatively > low from my point of view (libmtp is not used by a network daemon AFAIK). > > Check for full relro for libmtp dependencies: > readelf -l /usr/lib*/libusb-0.1.so.4 | grep -c GNU_RELRO > readelf -d /usr/lib*/libusb-0.1.so.4 | grep -c BIND_NOW > readelf -l /lib*/libgcrypt.so.11 | grep -c GNU_RELRO > readelf -d /lib*/libgcrypt.so.11 | grep -c BIND_NOW > > If you still insist on full relro for EPEL 6 for libmtp11, let me know and I > will add: export LDFLAGS="-Wl,-z,now -Wl,-z,relro %{?__global_ldflags}" You're right and I don't know if it's (or will be) a topic of discussion sooner or later. I have prefered to set manually hardening flags on all my packages in EPEL in advance; of course I can't force you to do that. Anyway I drew attention in the package reviews I done. Package approved. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review