On Friday, 11 September 2015 at 13:50, Alexander Todorov wrote: > Hello folks, > I'm looking at this feature: > > https://fedoraproject.org/wiki/Changes/Harden_All_Packages > > <quote> > How To Test > > Running checksec should always report only > > Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH > > otherwise a tracking bug should exist for the respective packages > </quote> > > > On a current Rawhide installation I'm seeing lots of potential failures, for > example: > > Partial RELRO Canary found NX enabled No PIE No RPATH > No RUNPATH > > > Question is how to deal with these because they appear to be in the hundreds ? How many, exactly? We have around 20000 SRPMs in the distribution. > I will do my best to filter out any false negatives and group the results > per package but this still leaves quite a big number of bugs to report. > > How do you feel about reporting all of these offences automatically ? Are > there any known exceptions which should be mentioned in the wiki page above > ? Some RPATHs are acceptable, in general: %{_libdir}/foo. See https://fedoraproject.org/wiki/Packaging:Guidelines#Rpath_for_Internal_Libraries Regards, Dominik -- Fedora http://fedoraproject.org/wiki/User:Rathann RPMFusion http://rpmfusion.org "Faith manages." -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations" -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging
