Re: Introducing security hardening features for Lenny
John Goerzen wrote:
> However, I am concerned that is appears to be limited in scope to packages
> * Are written in C or C++
> * Can have hardening achieved through technical changes to the build process
> I think it is important to remember that other languages can have security
> problems too, perhaps just as easy as these (shell).
Sure, but we're trying to optimise for the common case here.
Everyone is welcome to start systematic security enhancement efforts for other
languages (like, checking all existing Python code for insecure sub process
invocation or something similar).
An important reason is that some features (SSP and FORTIFIED_SOURCE) allow us
to lower the amount of needed work to fix security issues. There have been
several vulnerabilities which are non-issues on e.g. RHEL5, which has both
enabled. The ASLR changes are icing on the cake.