On Wed, 3 Apr 2013, Miloslav Trmač wrote:
On Wed, Apr 3, 2013 at 12:18 AM, Adam Williamson <awill...@redhat.com> wrote: On 31/03/13 08:11 AM, Richard W.M. Jones wrote:However prelink does reduce the effectiveness of ASLR (a bit). See http://lwn.net/Articles/341440/ and follow-up conversation. Ignoring the silly stuff, it does seem that this is Yet Another Reason Prelink Is Bad Is it? The linked comment says the opposite: prelink might interfere with ASLR, but for most programs it doesn't make a difference. Even the latter discussion about local attackers doesn't really apply when any PIE executable automatically means prelink is ignored both for the executable and for any used shared libraries, as Jakub said.
To me, prelink is still evil for breaking FIPS. I've requested a few times that prelink plays nicer with FIPS mode, like running prelink -ua during bootup when FIPS mode is on. And running prelink -ua when the prelink package is uninstalled. Neither trivial solutions are implemented in the package. The only argument in favour of prelink is speed. People selecting FIPS have clearly made the decision to favour extra security over speed. I'm strongly in favour of getting rid of it completely, and letting Moore's Law do its job. Paul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
