On Sun, May 29, 2016 at 12:00:14PM -0600, Theo de Raadt wrote: > If anyone decides to engage an upstream developer about their software > performing W^X violations, please be respectful, detailed, and calm. > The major W^X violators which remain are not simple pieces of > software, and their authors will not make improvements in this area in > a fortnight. It is going to take a lot of patience.
Taking the opportunity to stress again the plague of the ports tree: copy-pasting bugs. We have some variations upon the same library that exist in at least 3 different variations, with various ways to show basically the same mode of failure. (shows up there wrt webkit and libffi at least, and probably some others, though I haven't looked too closely yet). Yes, copying/forking the same code saves time instead of talking to upstream to get what you need, but we do pay it heavily every time. This is, again, a very long term problem that will take forever to address (e.g., people discover again and again that antipattern, that packaging and forking alleviates their immediate problem, but causes a HUGE debt later on with respect to security issues). Well, let's be positive, and say that at least, the current W^X changes show with glaring clarity some examples of that anti-pattern at work... bookmark for later use with the next problem we face. :p
