Re: Hardening Python packages

To: debian-python@lists.debian.org
Subject: Re: Hardening Python packages
From: Jakub Wilk <jwilk@debian.org>
Date: Thu, 24 May 2012 22:43:27 +0200
Message-id: <[🔎] 20120524204327.GA9041@jwilk.net>
Mail-followup-to: debian-python@lists.debian.org
In-reply-to: <[🔎] 1337890435.12065.7.camel@rogue.dyndns.info>
References: <[🔎] 1337890435.12065.7.camel@rogue.dyndns.info>

* Tomasz Rybak <tomasz.rybak@post.pl>, 2012-05-24, 22:13:

W: python-pyopencl: hardening-no-fortify-functions usr/lib/python2.6/dist-packages/pyopencl/_cl.so
W: python-pyopencl: hardening-no-stackprotector usr/lib/python2.6/dist-packages/pyopencl/_pvt_struct.so

hardening-no-fortify-functions and hardening-no-stackprotector are proneto false-positives. There's a bug report in the BTS about this.

Sample gcc call:
gcc -pthread -fwrapv -Wall -O3 -DNDEBUG -g -O2 -fstack-protector
--param=ssp-buffer-size=4 -Wformat -Werror=format-security
-D_FORTIFY_SOURCE=2 -fPIC -DPYGPU_PACKAGE=pyopencl -DPYGPU_PYOPENCL=1
-DPYOPENCL_USE_DEVICE_FISSION=1 -DHAVE_GL=1
-I/usr/lib/python3/dist-packages/numpy/core/include
-I/usr/lib/python3/dist-packages/numpy/core/include
-I/usr/include/python3.2mu -c src/wrapper/wrap_cl_part_2.cpp -o
build/temp.linux-x86_64-3.2/src/wrapper/wrap_cl_part_2.o

so hardening options are given to the compiler.


That's for Python 3.2. What about Python 2.6?

--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: Hardening Python packages
  - From: Tomasz Rybak <tomasz.rybak@post.pl>

References:
- Hardening Python packages
  - From: Tomasz Rybak <tomasz.rybak@post.pl>

Prev by Date: Hardening Python packages
Next by Date: Re: Hardening Python packages
Previous by thread: Hardening Python packages
Next by thread: Re: Hardening Python packages
Index(es):
- Date
- Thread