[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Switch on compiler hardening defaults

On Wed, Jan 6, 2010 at 4:28 PM, Paul Wise <pabs@debian.org> wrote:
> On Wed, Jan 6, 2010 at 12:37 PM, Kees Cook <kees@debian.org> wrote:
>> On Wed, Jan 06, 2010 at 11:01:01AM +0800, Paul Wise wrote:
>>> On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook <kees@debian.org> wrote:
>>>
>>> > There is a maintained (by RedHat) patch for dealing with PIE.  I already
>>> > maintain a delta for this in Ubuntu, but as you can see in the gdb bug,
>>> > the gdb maintainer doesn't want it until it's in upstream.  I, obviously,
>>> > think that's ridiculous.  PIE works and is useful.  Blocking its rollout
>>> > because gdb's support for it isn't upstream just furthers the catch-22.
>>>
>>> It is perfectly reasonable to reject patches until they are upstream.
>>> I personally will never add patches to Debian without either
>>> committing them upstream myself or some indication that they already
>>> have been or will be accepted upstream. IIRC the Debian kernel team
>>> has similar policies. Why hasn't RedHat upstreamed the patch? They are
>>> usually good about doing that. Perhaps you could push them to do so.
>>
>> Normally, I'd totally agree.  I do not know why RedHat has chosen to carry
>> the PIE patches for 5 years[1], but they have.  I[2] and others[3]
>> have asked over the years, but no one with a deep enough understanding
>> of the affected code has had the time to get it upstream.
>>
>> That said, the patches[4] in RedHat have a full test-suite associated with
>> them.  They're applied after their massive Archer patchset[5], so I had to
>> fiddle pretty hard to get the PIE support working in the Debian package.
>>
>> As seen at the end of the Ubuntu gdb series file:
>>
>> # RH stack that seems to be needed for sane PIE handling
>> gdb-6.3-test-pie-20050107.patch
>> gdb-6.5-bz203661-emit-relocs.patch
>> gdb-workaround-rh-stack-on.patch
>> gdb-6.6-buildid-locate.patch
>> gdb-6.3-pie-20050110.patch
>> gdb-workaround-rh-stack-off.patch
>>
>> -Kees
>>
>> [1] https://bugzilla.redhat.com/show_bug.cgi?id=130423
>> [2] http://sourceware.org/ml/gdb-patches/2008-05/msg00269.html
>> [3] http://sourceware.org/ml/gdb/2006-08/msg00188.html
>> [4] http://cvs.fedora.redhat.com/viewvc/devel/gdb/
>> [5] http://fedoraproject.org/wiki/Features/Archer
>
> Hmm, OK. I'm quite surprised Fedora carries so many[1] patches to GDB,
> given their policy of staying close to upstreams[2].
>
> Jan, as the maintainer of GDB in Fedora, can you comment on if/when
> Fedora's many many GDB patches (particularly PIE support) will be
> merged upstream? Has there been any attempt thus far at getting them
> merged? It would also be nice if the patches had some metadata in
> them, such as what is described in DEP-3.
>
> 1. http://cvs.fedoraproject.org/viewvc/rpms/gdb/devel/
> 2. http://fedoraproject.org/wiki/Staying_close_to_upstream_projects
> 3. http://dep.debian.net/deps/dep3/

Bah, actually CCing this time.

-- 
bye,
pabs

http://wiki.debian.org/PaulWise
Reply to: