1 |
Ned Ludd posted <1096599618.27475.712.camel@simple>, excerpted below, on |
2 |
Thu, 30 Sep 2004 23:00:18 -0400: |
3 |
|
4 |
> On Sun, 2004-09-26 at 23:52, Duncan wrote: |
5 |
> |
6 |
[about portage .51's QA Notice: Security risk notice] |
7 |
>> |
8 |
>> There's simply not enough there to be anything but a [tease] yet it's |
9 |
>> labeled security risk. Someone's being *MEAN* with their teasing! =:^\ |
10 |
> |
11 |
> Sorry about that. This qa notice steams from an internal thread. It was |
12 |
> intended for developers to see. I've got an open bug now to change the |
13 |
> output of the qa notice. |
14 |
|
15 |
Thanks. Looking back, it's self-evident that the warning was designed for |
16 |
developers, since that's what the other QA notices are. However, that |
17 |
wasn't evident to me /before/ someone told me, and in any case, such a |
18 |
user-visible label as worded is a bit of needlessly panicking the |
19 |
populace, so even with the developer understanding, changing it is a good |
20 |
idea. |
21 |
|
22 |
> The append-ldflags is a function that comes from the flag-o-matic.eclass |
23 |
> which is intended for the developer to use to add a string to the |
24 |
> packages LDFLAGS. The user interface works just like the CFLAGS |
25 |
> counterpart. |
26 |
> |
27 |
> So for example to make that message go away for crontab as a user you |
28 |
> would do LDFLAGS="-Wl,-z,now" emerge virtual/cron |
29 |
|
30 |
OK. From the other posts and man gcc and man ld I'd figured out what was |
31 |
involved there. I've looked at flag-o-matic for cflags so am familiar |
32 |
with the idea there, but hadn't paid attention to ldflags and thus didn't |
33 |
recognize the append-ldflags from there. Once I'd pieced together what |
34 |
the rest did and that append-ldflags wasn't some sort of command I could |
35 |
run from the command line or something, I decided it must be the portage |
36 |
function (and guessed it was in an eclass but didn't bother to verify). |
37 |
Nice to get verification of that and exactly where it is, now. |
38 |
|
39 |
> The basic idea is rid our tree of setXid executables that have use lazy |
40 |
> bindings. Lazy binding themselves present no immediate risk that's been |
41 |
> documented. The behavior is just generally discouraged. |
42 |
|
43 |
OK, from various reading, I understand the (theoretical) worry about lazy |
44 |
bindings on setXid executables. Thus, the level of threat is now known |
45 |
and can be managed. This is a good thing! <g> |
46 |
|
47 |
I don't know how the message is being changed, but having this sort of |
48 |
info available about it would be nice and would have prevented alarming |
49 |
the user (me). <g> Obviously, the message there can't be too verbose. |
50 |
Perhaps a pointer to a QASECURITY.README file or a URL with the details? |
51 |
|
52 |
All I want is to be an informed user, keeping in mind that from |
53 |
a Gentoo dev perspective, their "user" is a sysadmin, and needs |
54 |
such info, especially about security issues such as this, to properly do |
55 |
their job. |
56 |
|
57 |
IOW, this is basically the same request as I made some months ago about |
58 |
changelogs entries denoting keyword removal. When I see an emerge -a with |
59 |
a [ UD], I want to know /why/ I'm being asked to downgrade. Is it a |
60 |
security issue or just some issue with functionality based on a USE flag I |
61 |
don't even have turned on? Since making the request, at least amd64 which |
62 |
I follow has been very good at providing this user/sysadmin that info, and |
63 |
it's been that much easier to do my job /as/ that sysadmin. |
64 |
|
65 |
So, I guess I owe both them and now you and the portage team a round of |
66 |
thanks for being so responsive. Just another reason my Gentoo choice was |
67 |
the RIGHT choice! |
68 |
|
69 |
> Before you jump into a system-wide deployment of a linker flag be sure |
70 |
> you understand what they do. The flag for one is known to slow down |
71 |
> program startup. You wont really see it on a small executable but really |
72 |
> big c++ app with alot of symbols that also loads alot of libraries you |
73 |
> might. On the same token of slowdowns is the runtime speedup you gain |
74 |
> because ld.so will already have looked up the entire symbol table. |
75 |
|
76 |
Thanks for explaining that. I have it on for now, but may consider |
77 |
turning it off for stuff like KDE when updates to it come out. |
78 |
|
79 |
> *mean* -solar |
80 |
|
81 |
<g> |
82 |
|
83 |
-- |
84 |
Duncan - List replies preferred. No HTML msgs. |
85 |
"They that can give up essential liberty to obtain a little |
86 |
temporary safety, deserve neither liberty nor safety." -- |
87 |
Benjamin Franklin |
88 |
|
89 |
|
90 |
|
91 |
-- |
92 |
gentoo-dev@g.o mailing list |