[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Switch on compiler hardening defaults

On Wed, 6 Jan 2010 11:01:01 +0800 Paul Wise wrote:

> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook <kees@debian.org> wrote:
> > There is a maintained (by RedHat) patch for dealing with PIE.  I already
> > maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
> > the gdb maintainer doesn't want it until it's in upstream.  I, obviously,
> > think that's ridiculous.  PIE works and is useful.  Blocking its rollout
> > because gdb's support for it isn't upstream just furthers the catch-22.
> It is perfectly reasonable to reject patches until they are upstream.
> I personally will never add patches to Debian without either
> committing them upstream myself or some indication that they already
> have been or will be accepted upstream. IIRC the Debian kernel team
> has similar policies. Why hasn't RedHat upstreamed the patch? They are
> usually good about doing that. Perhaps you could push them to do so.

While normally I would agree with your logic, when it comes to security
I think a more cautious logic must prevail.  Remember that item 4 of
the social contract states that: "Our priorities are our users and free
software."  An aspect of that guidance is providing high quality
security for those users.  Hence, when a feature improves security (or
provides additional harding) the convenience factor of not differing
from upstream should be considered a lower priority than normal.

Best wishes,

Reply to: