Red Hat Bugzilla – Bug 972967
Build up-imapproxy with PIE support
Last modified: 2013-08-08 00:20:23 EDT
network-services must be hardened builds
[root@testserver:~]$ hardening-check /usr/sbin/in.imapproxyd
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
can someone explain why there is no feedback and http://fedoraproject.org/wiki/Packaging:Guidelines is ignored?
"MUST enable" is pretty clear and no opt-in
the "Partial RELRO" should also be "FULL RELRO"
> If your package meets any of the following criteria you MUST enable
> the PIE compiler flags:
> Your package is long running. This means it's likely
> to be started and keep running until the machine is rebooted,
> not start on demand and quit on idle
[root@testserver:~]$ checksec --file /usr/sbin/in.imapproxyd
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Partial RELRO Canary found NX enabled No PIE No RPATH No RUNPATH /usr/sbin/in.imapproxyd
Harald, thank you for your report and your assistance in making Fedora better.
Clearly this package is important to you, so if the primary maintainer is not being as responsive as you would be able to be, please consider offering to take over or co-maintain the package.
I am not the maintainer of the up-imapproxy branch in Fedora, however this is interesting to me as the maintainer of the EPEL5 branch too. It seems from your comment that was posted in bug #465859 that you have built packages that fix this and other issues. Please elaborate, for example by posting a working spec file. I just tried very briefly to build with _hardened_build on F17 (yes, need to try on a newer version) but got:
gcc: fatal error: /usr/lib/rpm/redhat/redhat-hardened-cc1: attempt to rename spec 'cc1_options' to already defined spec 'rh_cc1_options_old'
Created attachment 781033 [details]
my personal spec-file attached
sorry, but i have no free time to deal with the fedora build-systems and package-guidelines and my personal builds of any server-software we use does not ship any configurations for good reasons
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
*** This bug has been marked as a duplicate of bug 955448 ***