Re: Hardening Python packages

To: Jakub Wilk <jwilk@debian.org>
Cc: debian-python@lists.debian.org
Subject: Re: Hardening Python packages
From: Tomasz Rybak <tomasz.rybak@post.pl>
Date: Thu, 24 May 2012 22:59:42 +0200
Message-id: <[🔎] 1337893182.12065.10.camel@rogue.dyndns.info>
In-reply-to: <[🔎] 20120524204327.GA9041@jwilk.net>
References: <[🔎] 1337890435.12065.7.camel@rogue.dyndns.info> <[🔎] 20120524204327.GA9041@jwilk.net>

Dnia 2012-05-24, czw o godzinie 22:43 +0200, Jakub Wilk pisze:
> * Tomasz Rybak <tomasz.rybak@post.pl>, 2012-05-24, 22:13:
> >W: python-pyopencl: hardening-no-fortify-functions usr/lib/python2.6/dist-packages/pyopencl/_cl.so
> >W: python-pyopencl: hardening-no-stackprotector usr/lib/python2.6/dist-packages/pyopencl/_pvt_struct.so
> 
> hardening-no-fortify-functions and hardening-no-stackprotector are prone 
> to false-positives. There's a bug report in the BTS about this.

OK, thanks for information.
Should I add lintian override or just ignore those those warnings?

> 
> >Sample gcc call:
> >gcc -pthread -fwrapv -Wall -O3 -DNDEBUG -g -O2 -fstack-protector
> >--param=ssp-buffer-size=4 -Wformat -Werror=format-security
> >-D_FORTIFY_SOURCE=2 -fPIC -DPYGPU_PACKAGE=pyopencl -DPYGPU_PYOPENCL=1
> >-DPYOPENCL_USE_DEVICE_FISSION=1 -DHAVE_GL=1
> >-I/usr/lib/python3/dist-packages/numpy/core/include
> >-I/usr/lib/python3/dist-packages/numpy/core/include
> >-I/usr/include/python3.2mu -c src/wrapper/wrap_cl_part_2.cpp -o
> >build/temp.linux-x86_64-3.2/src/wrapper/wrap_cl_part_2.o
> >
> >so hardening options are given to the compiler.
> 
> That's for Python 3.2. What about Python 2.6?

2.6:
gcc -pthread -fno-strict-aliasing -fwrapv -Wall -O3 -DNDEBUG -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC
-DPYGPU_PACKAGE=pyopencl -DPYGPU_PYOPENCL=1
-DPYOPENCL_USE_DEVICE_FISSION=1 -DHAVE_GL=1
-I/usr/lib/pymodules/python2.6/numpy/core/include
-I/usr/include/python2.6 -c src/wrapper/wrap_cl.cpp -o
build/temp.linux-x86_64-2.6/src/wrapper/wrap_cl.o

2.7:
gcc -pthread -fno-strict-aliasing -fwrapv -Wall -O3 -DNDEBUG -g -O2
-fstack-protector --param=ssp-buffer-size=4 -Wformat
-Werror=format-security -D_FORTIFY_SOURCE=2 -fPIC
-DPYGPU_PACKAGE=pyopencl -DPYGPU_PYOPENCL=1
-DPYOPENCL_USE_DEVICE_FISSION=1 -DHAVE_GL=1
-I/usr/lib/pymodules/python2.7/numpy/core/include
-I/usr/include/python2.7 -c src/wrapper/wrap_cl_part_1.cpp -o
build/temp.linux-x86_64-2.7/src/wrapper/wrap_cl_part_1.o

Modules for all Python versions are given the same compilation
and linking options.

Best regards.

-- 
Tomasz Rybak  GPG/PGP key ID: 2AD5 9860
Fingerprint A481 824E 7DD3 9C0E C40A  488E C654 FB33 2AD5 9860
http://member.acm.org/~tomaszrybak

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

References:
- Hardening Python packages
  - From: Tomasz Rybak <tomasz.rybak@post.pl>
- Re: Hardening Python packages
  - From: Jakub Wilk <jwilk@debian.org>

Prev by Date: Re: Hardening Python packages
Next by Date: RFS: python-gnatpython/54-2
Previous by thread: Re: Hardening Python packages
Next by thread: RFS: python-gnatpython/54-2
Index(es):
- Date
- Thread