On Wed, Jan 7, 2015 at 5:30 AM, Josh Boyer <jwbo...@fedoraproject.org> wrote:
> > We just went over something very much like this for x86_64 packages > with FESCo ticket 1113: > > https://fedorahosted.org/fesco/ticket/1113 > > Could you perhaps review that and elaborate on the differences between > that proposal and this one if there are any? Additionally, could you > cover any of the concerns listed there that apply to this proposal? > > josh > -- > devel mailing list > devel@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/devel > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Hi Josh, That ticket is over 20 months old. It was discussed at time when Fedora 19 was in beta stage. I believe alot has changed since then. Since Fedora 20 pre-link is already disabled by default. The security landscape has changed. With the major publicity from Heartbleed and ShellShock, I believe more people are now security conscious than before. Hopefully, they will understand the need for compromise in system performance in order to protect the system from being exploited. For example: here http://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html (CVE-2014-8485) it states "Many Linux distributions ship *strings* without ASLR, making potential attacks easier and more reliable - a situation reminiscent of one of the recent bugs in *bash*." Which links here: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html (CVE-2014-6277) and (CVE-2014-6278) and states "The issue is also made worse by the fact that only relatively few distributions were building bash as a position-independent executable that could be fully protected by ASLR." -Moez
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct