On Tue, Dec 06, 2022 at 01:35:04AM +0100, Jaroslav Prokop wrote: > On 12/5/22 20:58, Ben Cotton wrote: > > The core change to bring in this mitigation is to change the default > build flags in `redhat-rpm-config` so that packages build by default > with `-Wp,-D_FORTIFY_SOURCE=3`. There are packages (e.g. `systemd`) > that do not interact well with `_FORTIFY_SOURCE` and will also need a > workaround to downgrade fortification to level 2. The change will also > include this override. > > How come systemd gets an exception? If it is a security option, it should be > enabled everywhere.
I don't believe the proposal is that everyone *has* to use this (or at least, I hope not). Even existing _FORTIFY_SOURCE=2 is optional. I'd like to know what the problems are that affect systemd however. > I do not see benefit in a security change that ignores PID 1 process, I agree we should try to cover it. > If the feature, on the GCC side, is not 100% done. > How do I tell a difference of a bug with the _FORTIFY_SOURCE which I will > ignore and a bug with my package? By looking at the message printed out when the program crashes, I guess? And if that's not enough information, then asking here. > I do not have the knowledge or the time to be able to say that GCC > generated the wrong machine code and therefore it is not a bug with > my package. If my program was not complaining before the change and > is now complaining with the change, I am opting out of the change, > and filing a bug against GCC on Fedora. GCC & Fedora developers have been very responsive on these kinds of issues in the past. No one wants a compiler with code gen problems. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com nbdkit - Flexible, fast NBD server with plugins https://gitlab.com/nbdkit/nbdkit _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
