1 |
On Mon, Jan 23, 2012 at 20:37, Diego Elio Pettenò <flameeyes@g.o>wrote: |
2 |
> |
3 |
> Stripping a compiled file of read permissions is quick, painless and |
4 |
> (mostly) safe from errors. Changing the way it is compiled.. not so |
5 |
> much. |
6 |
> |
7 |
> I'm not saying that it's not a good idea, but if we want to proceed with |
8 |
> this, there has to be someone who goes to look at all the packages and |
9 |
> corrects them. |
10 |
> |
11 |
> |
12 |
Right. It's a big ordeal. I'm *not* suggesting, however, that we |
13 |
automatically inject a CFLAG or something awful like that. |
14 |
|
15 |
What I propose is just to *detect* at merge-time whether or not there are |
16 |
SUID binaries that are not PIE, and if so, spit out a Q&A warning. |
17 |
|
18 |
That way, package maintainers could fix things up bit by bit, without |
19 |
having to burden you alone with tinderbox troubles. |