Re: Switch on compiler hardening defaults
On Tue, 05 Jan 2010, Michael Gilbert wrote:
> On Wed, 6 Jan 2010 11:01:01 +0800 Paul Wise wrote:
> > On Wed, Jan 6, 2010 at 9:20 AM, Kees Cook <kees@debian.org> wrote:
> > > There is a maintained (by RedHat) patch for dealing with PIE. I already
> >
> > It is perfectly reasonable to reject patches until they are upstream.
> > I personally will never add patches to Debian without either
> > committing them upstream myself or some indication that they already
> > have been or will be accepted upstream. IIRC the Debian kernel team
> > has similar policies. Why hasn't RedHat upstreamed the patch? They are
> > usually good about doing that. Perhaps you could push them to do so.
>
> While normally I would agree with your logic, when it comes to security
> I think a more cautious logic must prevail. Remember that item 4 of
It is exactly because of security that many of us frown *heavily* upon
anything that is not submitted upstream. We _did_ learn our lesson from the
OpenSSL problem.
So, the question that needs an answer is: _why_ isn't it upstream yet?
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: