F38 proposal: Add _FORTIFY_SOURCE=3 to distribution build flags (System-Wide Change proposal)
https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Replace the current `_FORTIFY_SOURCE=2` with `_FORTIFY_SOURCE=3` to improve mitigation of security issues arising from buffer overflows in packages in Fedora. == Owner == * Name: [[User:siddhesh| Siddhesh Poyarekar]] * Email: sipoy...@redhat.com == Detailed Description == Default C and C++ compiler flags to build packages in Fedora currently includes `-Wp,-D_FORTIFY_SOURCE=2`, which enables fortification of some functions in glibc, thus providing some mitigation against buffer overflows. Since glibc 2.34 and GCC 12, there has been a new fortification level (`_FORTIFY_SOURCE=3`) which improves the coverage of this mitigation. The core change to bring in this mitigation is to change the default build flags in `redhat-rpm-config` so that packages build by default with `-Wp,-D_FORTIFY_SOURCE=3`. There are packages (e.g. `systemd`) that do not interact well with `_FORTIFY_SOURCE` and will also need a workaround to downgrade fortification to level 2. The change will also include this override. == Benefit to Fedora == [https://docs.google.com/spreadsheets/d/1nPSmbEf3HVB91zI8yBraMqVry3_ILmlV2Z5K7FZeHZg/edit?usp=sharing Analysis of packages] in Fedora rawhide indicate that the improvement of mitigation coverage is on average over 2.4x, in some cases protecting more than half of the fortified glibc calls in the target application. This change will thus harden Fedora to a significant extent, thus making it a more secure distribution out of the box. == Scope == * Proposal owners: Post a merge request to redhat-rpm-config with the actual change to build flags. * Other developers: Resolve bugs filed for build failures, either by fixing the bug exposed by `_FORTIFY_SOURCE=3` or by disabling `_FORTIFY_SOURCE=3` for the package if it is a false positive or if the package is unable to adapt to the change. * Release engineering: Mass rebuild required * Policies and guidelines: Guidelines should include workaround for packages that fail to build with `-Wp,-D_FORTIFY_SOURCE=3` due to a false positive. * Trademark approval: N/A (not needed for this Change) == Upgrade/compatibility impact == No ABI change, so there should be no impact on compatibility in a mixed environment. == How To Test == * Smoke testing of packages to ensure that they continue to work correctly. Some packages may have overflows exposed at runtime, which may need to be fixed. == User Experience == No noticeable change to users. == Dependencies == None. == Contingency Plan == * Contingency mechanism: (What to do? Who will do it?) If too many packages are found to be broken at runtime, the default for fortification will be left at `_FORTIFY_SOURCE=2` for Fedora 38. Change owner will do this in `redhat-rpm-config` * Contingency deadline: Beta freeze * Blocks release? Yes * Blocks product? No == Documentation == [https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level# More context on `_FORTIFY_SOURCE=3` improvements]. == Release Notes == -- Ben Cotton He / Him / His Fedora Program Manager Red Hat TZ=America/Indiana/Indianapolis ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Fedora/CentOS planned outage 2022-12-08 19:00 UTC
lanned Outage - IAD2 Outage - 2022-12-08 19:00 UTC There will be an outage starting at 2022-12-08 19:00 UTC, which will last approximately 4 hours. To convert UTC to your local time, take a look at http://fedoraproject.org/wiki/Infrastructure/UTCHowto or run: date -d '2022-12-08 19:00 UTC' Reason for outage: There will be a multi hour outage as a hardware firewall is changed out of the IAD2 data center where most Fedora systems are housed. Outages should be in short cycles as the firewall is changed over to new hardware and rules are tested and confirmed. Affected Services: Most Fedora and CentOS Services will be affected Build systems for s390x will need to be restarted as NFS will break Builds in CentOS Stream and other infrastructure will be blocked during this time. Ticket Link: https://pagure.io/fedora-infrastructure/issue/ Please join #fedora-admin or #fedora-noc on irc.libera.chat or add comments to the ticket for this outage above. -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Orphaned packages looking for new maintainers
The following packages are orphaned and will be retired when they are orphaned for six weeks, unless someone adopts them. If you know for sure that the package should be retired, please do so now with a proper reason: https://fedoraproject.org/wiki/How_to_remove_a_package_at_end_of_life Note: If you received this mail directly you (co)maintain one of the affected packages or a package that depends on one. Please adopt the affected package or retire your depending package to avoid broken dependencies, otherwise your package will fail to install and/or build when the affected package gets retired. Request package ownership via the *Take* button in he left column on https://src.fedoraproject.org/rpms/ Full report available at: https://churchyard.fedorapeople.org/orphans-2022-12-05.txt grep it for your FAS username and follow the dependency chain. For human readable dependency chains, see https://packager-dashboard.fedoraproject.org/ For all orphaned packages, see https://packager-dashboard.fedoraproject.org/orphan Package (co)maintainers Status Change 5minute orphan 0 weeks ago CFR jvanek, orphan 0 weeks ago CheMPS2 orphan 0 weeks ago PolicyKit-olpcorphan 1 weeks ago abiword chimosky, herrold, huzaifas, 0 weeks ago orphan aboot orphan 0 weeks ago albatross orphan 1 weeks ago alleyoop orphan 1 weeks ago alure orphan 0 weeks ago amor jgrulich, kde-sig, orphan, 1 weeks ago rdieter, than anki chkr, orphan 0 weeks ago asn1c orphan 0 weeks ago backup-managerorphan 1 weeks ago bbkeysorphan 0 weeks ago bharati-m17n orphan 0 weeks ago bibtex2html orphan, thofmann 0 weeks ago biosdevname lnykryn, msekleta, orphan, 0 weeks ago vpavlin blackbox cicku, orphan0 weeks ago bluecurve-classic-metacity- gnome-sig, orphan, rstrode 0 weeks ago theme bluecurve-gnome-theme gnome-sig, orphan, rstrode 0 weeks ago bluecurve-gtk-themes gnome-sig, orphan, rstrode 0 weeks ago bluecurve-icon-theme gnome-sig, orphan, rstrode 0 weeks ago bluecurve-kde-theme gnome-sig, kkofler, orphan, 0 weeks ago rdieter, rstrode, than bluecurve-metacity-theme gnome-sig, orphan, rstrode 0 weeks ago bluecurve-xmms-skin gnome-sig, orphan, rstrode 0 weeks ago brainfuck orphan 0 weeks ago buildbot besser82, ignatenkobrain,1 weeks ago limb, ngompa, orphan, radez, smilner cairo-clock orphan 0 weeks ago code-editor orphan 1 weeks ago compton orphan 1 weeks ago converseenorphan 1 weeks ago cups-bjnp orphan 1 weeks ago curlpporphan 0 weeks ago dmz-cursor-themes company, orphan 1 weeks ago docker-composelsm5, orphan, ttomecek 1 weeks ago ejabberd bowlofeggs, jcline, orphan, 0 weeks ago xavierb enchant orphan 0 weeks ago erlang-epgsql lkundrak, orphan 1 weeks ago eurekaorphan 0 weeks ago fcitx cheeselee, cicku, orphan, pwu, 1 weeks ago yanqiyu fcitx-chewing cheeselee, orphan, yanqiyu 1 weeks ago fcitx-cloudpinyin cheeselee, orphan, yanqiyu 1 weeks ago fcitx-configtool cheeselee, orphan, yanqiyu 1 weeks ago fcitx-fbterm
