On 08.11.19 17:21, Michele Orrù wrote:
Hello again Doko,

I'm reaching out once again (and updating the bug) to ask if perhaps you
could take a look at my patch. I really just want to remove 4 lines of

I tested the compiled packaged (once again, on your updated revision) and
everything seemed okay on my machine.

I tried to reach out to you via Holger, who said I should double-check for
potential performance issues and whether other distributions use it.

On fedora, Giovanni tested python3-3.7.3-1.fc30.i686.rpm

$ hardening-check python3
  Position Independent Executable: yes
  Stack protected: no, not found!
  Fortify Source functions: unknown, no protectable libc functions used
  Read-only relocations: yes
  Immediate binding: yes

Attached, you will find the result of pyperformance compare between
python3.8 compiled with -fPIE and without. I don't really buy the argument
of performance loss in a language like python, especially given the big
attack surface we are offering right now; anyways, just for the record,
it's between 2-5x slower, which doesn't seem so dramatic to me.

I also find it very suspicious that in the git log (of python 3 and python
2) there is no justification for disabling PIE explicitly: why this code
was there in the first place?

I'm going to try escalating this issue to other people in debian security
if I don't get a reply within a week!

seriously? For a few months you are writing emails without subject landing in my spam folder, and then you are starting threats?

> other people in debian security

can't find you in

I also doubt very much your numbers, 2.5 - 5 times slower is not expected. PIE has some impact, but not that bad.


Reply via email to