[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Switch on compiler hardening defaults

On Wed, Jan 6, 2010 at 12:37 PM, Kees Cook <kees@debian.org> wrote:
> On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
>> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook <kees@debian.org> wrote:
>>
>> > There is a maintained (by RedHat) patch for dealing with PIE.  I already
>> > maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
>> > the gdb maintainer doesn't want it until it's in upstream.  I, obviously,
>> > think that's ridiculous.  PIE works and is useful.  Blocking its rollout
>> > because gdb's support for it isn't upstream just furthers the catch-22.
>>
>> It is perfectly reasonable to reject patches until they are upstream.
>> I personally will never add patches to Debian without either
>> committing them upstream myself or some indication that they already
>> have been or will be accepted upstream. IIRC the Debian kernel team
>> has similar policies. Why hasn't RedHat upstreamed the patch? They are
>> usually good about doing that. Perhaps you could push them to do so.
>
> Normally, I'd totally agree.  I do not know why RedHat has chosen to carry
> the PIE patches for 5 years[1], but they have.  I[2] and others[3]
> have asked over the years, but no one with a deep enough understanding
> of the affected code has had the time to get it upstream.
>
> That said, the patches[4] in RedHat have a full test-suite associated with
> them.  They're applied after their massive Archer patchset[5], so I had to
> fiddle pretty hard to get the PIE support working in the Debian package.
>
> As seen at the end of the Ubuntu gdb series file:
>
> # RH stack that seems to be needed for sane PIE handling
> gdb-6.3-test-pie-20050107.patch
> gdb-6.5-bz203661-emit-relocs.patch
> gdb-workaround-rh-stack-on.patch
> gdb-6.6-buildid-locate.patch
> gdb-6.3-pie-20050110.patch
> gdb-workaround-rh-stack-off.patch
>
> -Kees
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=130423
> [2] http://sourceware.org/ml/gdb-patches/2008-05/msg00269.html
> [3] http://sourceware.org/ml/gdb/2006-08/msg00188.html
> [4] http://cvs.fedora.redhat.com/viewvc/devel/gdb/
> [5] http://fedoraproject.org/wiki/Features/Archer

Hmm, OK. I'm quite surprised Fedora carries so many[1] patches to GDB,
given their policy of staying close to upstreams[2].

Jan, as the maintainer of GDB in Fedora, can you comment on if/when
Fedora's many many GDB patches (particularly PIE support) will be
merged upstream? Has there been any attempt thus far at getting them
merged? It would also be nice if the patches had some metadata in
them, such as what is described in DEP-3.

1. http://cvs.fedoraproject.org/viewvc/rpms/gdb/devel/
2. http://fedoraproject.org/wiki/Staying_close_to_upstream_projects
3. http://dep.debian.net/deps/dep3/

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
Reply to: