On 2018-05-01, IL Ka <[email protected]> wrote: >> while there are Python modules which rely on W|X. > Yes, but I do not use them. > > I only run Python and Django. > I am aware of the fact that my python is not compatible with some modules, > and I am ok with it since I do not need them. > >> use ports instead of pkg_add to get Python binary without W|X > That is exactly what I did: built python from official openbsd port with > USE_WXNEEDED=no. > I now have python that works from /home, but does not support some modules.
Now you have a version of python that you need to rebuild whenever a library that it uses is bumped to a different major version number, otherwise you have conflicts in some cases, and if not an actual conflict, you're at least stuck with an old version of that library (which may mean you miss security fixes). This might not be too much of a problem if you stick to -stable but will get old fast on -current. > While I am still happy with my approach, I'll not suggest it anymore, > because everyone else says it is not correct, > and I do not want to give bad advice to people on this list:) > > Fixing every single port that needs WX seems like a huge amount of work. That's not necessary for your goal of python working without the flag. Only the libraries that might be used as part of python modules. The only ones we know about are the python webkit bindings and (at least last time I tested it) py-cryptography (something to do with a libssl callback IIRC). > People do not care about W|X security too much outside of openbsd > community:( grsecurity does block RWX mappings by default btw.
