Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 953390
Description of problem: http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...". However, currently 389-ds-base is not being built with PIE flags. This is a clear violation of the packaging guidelines. This issue (in its wider scope) is being discussed at, https://fedorahosted.org/fesco/ticket/1104 https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html Version-Release number of selected component (if applicable): 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm How reproducible: You can use following programs to check if a package is hardened: http://people.redhat.com/sgrubb/files/rpm-chksec OR https://github.com/kholia/checksec Steps to Reproduce: Get scanner.py from https://github.com/kholia/checksec $ ./scanner.py 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm Analyzing 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm ... ... 389-ds-base,389-ds-base-1.3.0.5-1.fc19.x86_64.rpm,/usr/sbin/ns-slapd,NX=Enabled ,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Enabled,RUNPATH=Disabled,CATEG ORY=network-ip Actual results: /usr/sbin/ns-slapd is not PIE. Expected results: /usr/sbin/ns-slapd *should* be PIE. Possible Fix: "_hardened_build" rpm spec macro can be used to harden a package.
fedora spec file 0001-Ticket-47332-389-ds-base-package-should-be-built-wit.patch
http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...".
Hi Mark, Could you also investigate 389-admin, too? (Since the server binary is httpd, it may not be needed, but we'd like to make it sure...) Thanks!! --noriko
389-admin 0001-Ticket-47332-389-admin-should-be-built-with-PIE-flag.patch
Replying to [comment:4 nhosoi]:
http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...". Hi Mark, Could you also investigate 389-admin, too? (Since the server binary is httpd, it may not be needed, but we'd like to make it sure...) Thanks!! --noriko
Yes, it looks like it is needed, so I added it. Thanks!
389-ds-base:
commit f5b17abc3740571ead6a3423a56e55523bce62b3
git push origin master Counting objects: 5, done. Delta compression using up to 4 threads. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 483 bytes, done. Total 3 (delta 2), reused 0 (delta 0) remote: Emitting a message to the fedmsg bus. To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base 8f86104..f5b17ab master -> master
git push origin f19 Counting objects: 5, done. Delta compression using up to 4 threads. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 529 bytes, done. Total 3 (delta 2), reused 0 (delta 0) remote: Emitting a message to the fedmsg bus. To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base 22deb41..236cbb5 f19 -> f19
git push origin f18 Counting objects: 5, done. Delta compression using up to 4 threads. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 529 bytes, done. Total 3 (delta 2), reused 0 (delta 0) remote: Emitting a message to the fedmsg bus. To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base c782705..decdcd7 f18 -> f18
git push origin f17 Counting objects: 5, done. Delta compression using up to 4 threads. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 522 bytes, done. Total 3 (delta 2), reused 0 (delta 0) remote: Emitting a message to the fedmsg bus. To ssh://mreynolds@pkgs.fedoraproject.org/389-ds-base 3e72dbd..df87321 f17 -> f17
Admin Server:
50e0b732c3f529a1c28a53a66094522e832b4331
git push origin master Counting objects: 5, done. Delta compression using up to 4 threads. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 430 bytes, done. Total 3 (delta 2), reused 0 (delta 0) remote: Emitting a message to the fedmsg bus. To ssh://mreynolds@pkgs.fedoraproject.org/389-admin 39a4c29..50e0b73 master -> master
Metadata Update from @mreynolds: - Issue assigned to mreynolds - Issue set to the milestone: 1.3.1.1
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/669
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.