Description of problem: http://fedoraproject.org/wiki/Packaging:Guidelines#PIE says that "you MUST enable the PIE compiler flags if your package is long running ...". However, currently 389-ds-base is not being built with PIE flags. This is a clear violation of the packaging guidelines. This issue (in its wider scope) is being discussed at, https://fedorahosted.org/fesco/ticket/1104 https://lists.fedoraproject.org/pipermail/devel/2013-March/180827.html Version-Release number of selected component (if applicable): 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm How reproducible: You can use following programs to check if a package is hardened: http://people.redhat.com/sgrubb/files/rpm-chksec OR https://github.com/kholia/checksec Steps to Reproduce: Get scanner.py from https://github.com/kholia/checksec $ ./scanner.py 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm Analyzing 389-ds-base-1.3.0.5-1.fc19.x86_64.rpm ... ... 389-ds-base,389-ds-base-1.3.0.5-1.fc19.x86_64.rpm,/usr/sbin/ns-slapd,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Disabled,RPATH=Enabled,RUNPATH=Disabled,CATEGORY=network-ip Actual results: /usr/sbin/ns-slapd is not PIE. Expected results: /usr/sbin/ns-slapd *should* be PIE. Possible Fix: "_hardened_build" rpm spec macro can be used to harden a package.
FWIW, other distributions are shipping PIE enabled 389-ds-base package. So, I don't see any major blockers on getting this bug fixed. $ ./deb-scanner.py 389-ds-base_1.3.0.3-1ubuntu1_amd64.deb Analyzing 389-ds-base_1.3.0.3-1ubuntu1_amd64.deb ... ?,389-ds-base_1.3.0.3-1ubuntu1_amd64.deb,/usr/sbin/ns-slapd,NX=Enabled,CANARY=Enabled,RELRO=Partial,PIE=Enabled,RPATH=Enabled,RUNPATH=Disabled,CATEGORY=network-ip
Upstream ticket: https://fedorahosted.org/389/ticket/47332
Upstream ticket has been closed (with resolution set to fixed). Will F19 get the fixed package too?
(In reply to comment #3) > Upstream ticket has been closed (with resolution set to fixed). > > Will F19 get the fixed package too? Yes, this package is built with the PIE flag. 389-ds-base-1.3.1.0-1.fc19