From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: Re-shipping binaries due to _FORTIFY_SOURCE=3
Date: Tue, 21 May 2024 15:55:27 +0100 [thread overview]
Message-ID: <F2CE684C-48C7-47C6-98B3-D1090A4B43B8@ipfire.org> (raw)
In-Reply-To: <72272574-b5a9-4c86-a9de-dc6f16a0e3b0@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1657 bytes --]
Hello Peter,
well, this is a difficult topic. We have shipped quite a lot in the consecutive updates, but generally when we have any changes on the toolchain we cannot ship everything rebuilt at once. That would simply make the update too large.
Either we spend some time on Pakfire to upload less and then install so that we don’t have to worry about the update size at all any more, or we have to keep being conservative with what we ship at a time.
On this particular change, glibc is not affected, as it is being configured with its own CFLAGS. However, this particular change probably changes every single binary. We have re-shipped everything that exposes any network stuff, and crucial libraries that parse images, XML, and so on. I think that this pretty much the best we can do.
Best,
-Michael
> On 21 May 2024, at 10:50, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello *,
>
> while trying to figure out the odd Suricata and kernel behavior with Core Update 186
> I encountered the other day, I noted that cecad543cb59d0e052cea437cc064bb0924cdbd2
> mentions that having properly applied the _FORTIFY_SOURCE=3 change entails that we
> re-ship "everything" (I assume that means every executable binary :-) ).
>
> It seems like we didn't do so ever since this commit was merged into next, and while
> doing so in one go is not possible, I was wondering if we perhaps want to re-ship
> the most critical parts, such as binaries of services directly exposed to the network,
> the glibc, and similar components.
>
> Just a thought that occurred to me.
>
> Thanks, and best regards,
> Peter Müller
prev parent reply other threads:[~2024-05-21 14:55 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-21 9:50 Peter Müller
2024-05-21 14:55 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F2CE684C-48C7-47C6-98B3-D1090A4B43B8@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox