Announcement

**uid313** · 26 June 2013, 06:11 PM

Maybe they could run -fstack-protector-all on the alphas and betas.
Then run -fstack-protector-strong or disable it on the final release.

Then they catch the security vulnerabilties during testing.

**tga.d** · 26 June 2013, 09:26 PM

Originally posted by uid313 View Post

Maybe they could run -fstack-protector-all on the alphas and betas.
Then run -fstack-protector-strong or disable it on the final release.

Then they catch the security vulnerabilties during testing.

To be clear, this is to find vulnerabilities in packages when they are installed, not in Fedora itself. It's a change in how RPM would work, not how the distro itself is built. So while that might be useful for finding vulnerabilities in various packages, it's not directly related to releasing Fedora 20.

**erendorn** · 27 June 2013, 07:21 AM

Originally posted by tga.d View Post

To be clear, this is to find vulnerabilities in packages when they are installed, not in Fedora itself. It's a change in how RPM would work, not how the distro itself is built. So while that might be useful for finding vulnerabilities in various packages, it's not directly related to releasing Fedora 20.

Well that's not clear at all. -fstack-protector-strong is a gcc flag that add stack cookies on compiled code, so that when and where a buffer overflow would be happening, the application crashes instead. Definitely a change in how the distro is built, and it's not there to "find" vulnerabilities but protect from them at run time.
And as they plan to rebuild all packages with this flag only for fedora 20, it's quite related to this release.

**tga.d** · 27 June 2013, 07:34 PM

Originally posted by erendorn View Post

Well that's not clear at all. -fstack-protector-strong is a gcc flag that add stack cookies on compiled code, so that when and where a buffer overflow would be happening, the application crashes instead. Definitely a change in how the distro is built, and it's not there to "find" vulnerabilities but protect from them at run time.
And as they plan to rebuild all packages with this flag only for fedora 20, it's quite related to this release.

Maybe I worded it poorly, but that was my point. In particular,

One of the features that was approved today is a build change for the RPMs that can yield greater code security but at the potential cost of performance.

The change that was approved today is a GCC flag change for now using "-fstack-protector-strong" on building Fedora RPM packages rather than just the "-fstack-protector" argument.

As in, it's something you want for the applications you have installed. Testing Fedora itself (what I meant by "releasing Fedora") isn't the main intention of this - other than measuring performance, of course. In any case, at least where I learned coding, crashing a program is never desired behavior, but debugging behavior, which is why I said it's used to find vulnerabilities. As in, if the program ever crashes, something is wrong, and you should file a bug report.

Announcement

Fedora 20 Will Have A Security/Performance Change

Fedora 20 Will Have A Security/Performance Change

Comment

Comment

Comment

Comment