On Wed, Sep 16, 2015 at 07:24:02PM +0300, Alexander Todorov wrote: > Including fedora-devel on this topic. > > На 12.09.2015 в 08:48, Dominik 'Rathann' Mierzejewski написа: > >>> > >>>Question is how to deal with these because they appear to be in the hundreds ? > >> > >>How many, exactly? We have around 20000 SRPMs in the distribution. > > > > From today's Rawhide snapshot my script counted around 4500 > offending packages. You can find links to the script and execution > log here: > http://atodorov.org/blog/2015/09/16/4000-bugs-in-fedora-checksec-failures/ The majority of the packages of mine on this list fall into three groups: - erlang packages - mingw packages - ocaml packages I'm pretty sure mingw packages should all be excluded. Who knows what Windows uses (and who cares). Erlang code generation is an unknown quantity. For OCaml, I think you should ignore anything under %{libdir}/ocaml/ since those are development files. (Their contents may eventually end up in a binary, but we can worry about that when we see the binary). That removes most of the failures. For OCaml binaries, it seems as if most of them are like this: Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH ./usr/bin/ocamlc.opt As far as I understand it, the only problems there are "Partial RELRO" which should in an ideal world be "Full RELRO"; and "No PIE". I guess we can fix the RELRO problem by linking with -z now. It may require a compiler patch. The OCaml compiler doesn't support PIE but it does support -fPIC. I'm not clear if there would be some way to link the -fPIC objects into a PIE executable? In general OCaml is much more robust against these kinds of attacks, since you have to deliberately let your pointers "go wild" by using special "unsafe_*" functions, and that's an immediate red flag when reviewing code. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-builder quickly builds VMs from scratch http://libguestfs.org/virt-builder.1.html -- packaging mailing list packaging@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/packaging