This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH 1/5] __fdelt_chk: Removed range check
- From: Adam Conrad <adconrad at 0c3 dot net>
- To: Allan McRae <allan at archlinux dot org>
- Cc: Carlos O'Donell <carlos at redhat dot com>, KOSAKI Motohiro <kosaki dot motohiro at gmail dot com>, Andreas Jaeger <aj at suse dot com>, libc-alpha <libc-alpha at sourceware dot org>
- Date: Wed, 8 May 2013 13:48:07 -0600
- Subject: Re: [PATCH 1/5] __fdelt_chk: Removed range check
- References: <CAHGf_=qewv9SqnjRei0NXuODc_ZW0erm5JkBb1r6T+kgGkuK=w at mail dot gmail dot com> <51843C3D dot 7010701 at archlinux dot org> <518670E1 dot 9040006 at redhat dot com> <5186E7B2 dot 6040502 at archlinux dot org>
On Mon, May 06, 2013 at 09:13:54AM +1000, Allan McRae wrote:
> On 06/05/13 00:46, Carlos O'Donell wrote:
> >>>
> >>> 1. If we disable __fdelt_chk and distro doesn't rebuild any packages.
> >>> -> it works. but the packages are no longer protected by FORTIFY
> >>> until rebuilt.
> >>>
> >>> 4. If we don't disable __fdelt_chk and distro rebuild cherry
> >>> picked packages.
> >>> -> It works. Affected softwares are expected less than twenty.
> >>> However the remained problem is, nobody know full lists
> >>> of affected packages. And third party software which doesn't
> >>> built still may crash.
>
> Essentially. I suppose the false positives are probably only a minor
> inconvenience as far as Linux distros go, given most rebuild their
> entire system when a glibc update happens and others can rebuild the
> small number of packages that will expose this. But this can not be so
> readily handled with third party software.
Debian and Ubuntu (at least) certainly don't rebuild the world on every
toolchain bump, we allow things to rebuild organically as new package
versions are uploaded for other reasons.
If there's a simple/sane programmatic way for us to find everything that
would be affected by (4), so we can rebuild it (and declare a package
relationship between the new glibc and the old versions of packages that
it's now known to break), that's cool, but if it's just tripping over
breakages in the dark for a few years until it's all rebuilt, I'm not
sure that's an acceptable option for us.
... Adam