[ 
https://issues.apache.org/jira/browse/PROTON-808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14319223#comment-14319223
 ] 

Rafael H. Schloming commented on PROTON-808:
--------------------------------------------

I was just observing that it would be unlikely for there to be an exploit if 
you just run make install and then don't mess with the resulting tree. As you 
point out though, if you copy stuff around, there is still the potential for an 
exploit.

If we don't want to change what the build does by default, we could just 
document the appropriate options for the user to configure the RPATH manually, 
although I suppose that would constitute giving people insecure advice. If we 
do go that route there is kind of an annoying gotcha with the whole "lib" vs 
"lib64" thing.

> Binaries have their library locations stripped
> ----------------------------------------------
>
>                 Key: PROTON-808
>                 URL: https://issues.apache.org/jira/browse/PROTON-808
>             Project: Qpid Proton
>          Issue Type: Bug
>          Components: proton-c
>            Reporter: Justin Ross
>         Attachments: cmake.patch
>
>
> 1. Build proton
> 2. Install to /usr/local
> 3. Run "proton"
> -> Blows up, can't find its library
> https://paste.apache.org/gd56
> http://stackoverflow.com/questions/3352041/creating-binary-with-cmake-removes-runtime-path
> The default behavior of cmake is in my opinion wrong, and we should use the 
> fix mentioned in that stackoverflow discussion.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to