Re: RFC mass bug reporting: checksec failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Friday, 11 September 2015 at 13:50, Alexander Todorov wrote:
> Hello folks,
> I'm looking at this feature:
> 
> https://fedoraproject.org/wiki/Changes/Harden_All_Packages
> 
> <quote>
>  How To Test
> 
>     Running checksec should always report only
> 
> Full RELRO Canary found NX enabled PIE enabled No RPATH No RUNPATH
> 
> otherwise a tracking bug should exist for the respective packages	
> </quote>
> 
> 
> On a current Rawhide installation I'm seeing lots of potential failures, for
> example:
> 
> Partial RELRO   Canary found      NX enabled    No PIE          No RPATH
> No RUNPATH
> 
> 
> Question is how to deal with these because they appear to be in the hundreds ?

How many, exactly? We have around 20000 SRPMs in the distribution.

> I will do my best to filter out any false negatives and group the results
> per package but this still leaves quite a big number of bugs to report.
> 
> How do you feel about reporting all of these offences automatically ? Are
> there any known exceptions which should be mentioned in the wiki page above
> ?

Some RPATHs are acceptable, in general: %{_libdir}/foo.  See
https://fedoraproject.org/wiki/Packaging:Guidelines#Rpath_for_Internal_Libraries

Regards,
Dominik
-- 
Fedora http://fedoraproject.org/wiki/User:Rathann
RPMFusion http://rpmfusion.org
"Faith manages."
        -- Delenn to Lennier in Babylon 5:"Confessions and Lamentations"
--
packaging mailing list
packaging@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/packaging




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Forum]     [KDE Users]

  Powered by Linux