Bug 971836 - Review Request: hardening-check - Tool to check ELF for being built hardened
Summary: Review Request: hardening-check - Tool to check ELF for being built hardened
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ville Skyttä
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-06-07 11:37 UTC by Björn 'besser82' Esser
Modified: 2013-06-26 00:41 UTC (History)
3 users (show)

Fixed In Version: hardening-check-2.3-2.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-11 09:09:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ville.skytta: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Björn 'besser82' Esser 2013-06-07 11:37:06 UTC
Spec URL: http://besser82.fedorapeople.org/review/hardening-check/hardening-check.spec
SRPM URL: http://besser82.fedorapeople.org/review/hardening-check/hardening-check-2.3-1.fc19.src.rpm

Description:
hardening-check is a perl-script to check whether an already compiled ELF was built using hardening-flags.

It checks, using readelf, for these hardening-characteristics:

  * Position Independent Executable
    (gcc/g++ -fPIE -pie)
  * Stack protected
    (gcc/g++ -D_FORTIFY_SOURCE=2)
  * Fortify Source functions
    (gcc/g++ -fstack-protector --param ssp-buffer-size=4)
  * Read-only relocations
    (ld -z relro)
  * Immediate binding
    (ld -z now)

Fedora Account System Username: besser82

Comment 2 Ville Skyttä 2013-06-09 10:52:54 UTC
The binutils and glibc-common build deps are redundant and should be removed.

Renaming the docs seems unusual and quite pointless deviation from upstream to me, I'd just refer to their names like in %doc debian/... (non-blocker as far as the review goes).

I suspect that the examples in parenthesis in %description are not quite accurate and are also subject to bitrot, I'd just remove them and while at it, remove some unnecessary bits off it and remove some extraneous hyphens, fix capitalization etc:

----

%{name} is a tool to check whether an already compiled ELF file
was built using hardening flags.

It checks, using readelf, for these hardening characteristics:

  * Position Independent Executable
  * Stack protected
  * Fortify source functions
  * Read-only relocations
  * Immediate binding

Comment 3 Björn 'besser82' Esser 2013-06-09 11:07:48 UTC
Spec URL: http://besser82.fedorapeople.org/review/hardening-check/hardening-check.spec
SRPM URL: http://besser82.fedorapeople.org/review/hardening-check/hardening-check-2.3-2.fc19.src.rpm

%changelog
* Sun Jun 09 2013 Björn Esser <bjoern.esser@gmail.com> - 2.3-2
- removed BuildRequires: binutils glibc-common
- not renaming docs in debian/
- removed terms to be possibly subject to bitrot from %%description
- as suggested by Ville Skyttä during review

* Fri Jun 07 2013 Björn Esser <bjoern.esser@gmail.com> - 2.3-1
- initial rpm release

Comment 4 Björn 'besser82' Esser 2013-06-09 11:27:23 UTC
Thanks for your review, Ville! If I can do a favour (read: review your pkgs) to you, just let me know.

With above changes everything should be fine, I think.

Comment 5 Ville Skyttä 2013-06-09 15:09:34 UTC
Looks good, approved.

And thanks for the offer, I'll try to keep it in mind when/if I have some new packages to submit sometime.

Comment 6 Björn 'besser82' Esser 2013-06-09 15:14:50 UTC
Allright! Thanks again! Just drop me a PM, somewhen...

New Package SCM Request
=======================
Package Name: hardening-check
Short Description: Tool to check ELF for being built hardened
Owners: besser82
Branches: f19 f18 el6
InitialCC:

Comment 7 Gwyn Ciesla 2013-06-10 12:39:49 UTC
Git done (by process-git-requests).

Comment 8 Fedora Update System 2013-06-10 12:57:35 UTC
hardening-check-2.3-2.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/hardening-check-2.3-2.fc19

Comment 9 Fedora Update System 2013-06-10 12:58:07 UTC
hardening-check-2.3-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/hardening-check-2.3-2.fc18

Comment 10 Fedora Update System 2013-06-10 12:58:49 UTC
hardening-check-2.3-2.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/hardening-check-2.3-2.el6

Comment 11 Fedora Update System 2013-06-10 17:05:49 UTC
hardening-check-2.3-2.el6 has been pushed to the Fedora EPEL 6 testing repository.

Comment 12 Fedora Update System 2013-06-11 09:09:15 UTC
hardening-check-2.3-2.fc18 has been pushed to the Fedora 18 stable repository.

Comment 13 Fedora Update System 2013-06-12 03:36:03 UTC
hardening-check-2.3-2.fc19 has been pushed to the Fedora 19 stable repository.

Comment 14 Fedora Update System 2013-06-26 00:41:53 UTC
hardening-check-2.3-2.el6 has been pushed to the Fedora EPEL 6 stable repository.


Note You need to log in before you can comment on or make changes to this bug.