Re: Switch on compiler hardening defaults
On Wed, 6 Jan 2010 11:01:01 +0800 Paul Wise wrote:
> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook <email@example.com> wrote:
> > There is a maintained (by RedHat) patch for dealing with PIE. I already
> > maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
> > the gdb maintainer doesn't want it until it's in upstream. I, obviously,
> > think that's ridiculous. PIE works and is useful. Blocking its rollout
> > because gdb's support for it isn't upstream just furthers the catch-22.
> It is perfectly reasonable to reject patches until they are upstream.
> I personally will never add patches to Debian without either
> committing them upstream myself or some indication that they already
> have been or will be accepted upstream. IIRC the Debian kernel team
> has similar policies. Why hasn't RedHat upstreamed the patch? They are
> usually good about doing that. Perhaps you could push them to do so.
While normally I would agree with your logic, when it comes to security
I think a more cautious logic must prevail. Remember that item 4 of
the social contract states that: "Our priorities are our users and free
software." An aspect of that guidance is providing high quality
security for those users. Hence, when a feature improves security (or
provides additional harding) the convenience factor of not differing
from upstream should be considered a lower priority than normal.