On Fri, Feb 26, 2021 at 07:34:03PM +0100, Gordon Bergling wrote: > On Thu, Feb 25, 2021 at 03:58:07PM -0500, Ed Maste wrote: > > As of 9a227a2fd642 (main-n245052) base system binaries are now built > > as position-independent executable (PIE) by default, for 64-bit > > architectures. PIE executables are used in conjunction with address > > randomization as a mitigation for certain types of security > > vulnerabilities. > > > > If you track -CURRENT and normally build WITHOUT_CLEAN you'll need to > > do one initial clean build -- either run `make cleanworld` or set > > WITH_CLEAN=yes. > > > > No significant user-facing changes are expected from this change, but > > there are some minor ones. For example, `file` will indicate that > > binaries are PIE by reporting something like `ELF 64-bit LSB pie > > executable` rather than `ELF 64-bit LSB executable`. Also, for most > > workloads no notable performance impact is expected. > > > > For almost all ports this should result in no change. There are a > > small number of ports that use base system /usr/share/mk > > infrastructure and thus inherit the base system default, and some of > > those initially failed to build. Those found during an exp-run in > > PR253275 have been addressed or have patches waiting. > > > > Please watch out for any new issues after you next update the base > > system and/or ports, and report issues via a Bugzilla PR or in reply > > here. > > Thats a huge step forward in terms on security. Can you explain why? Thanks. > Thanks for the efforts and anyone involved. > > --GordonReceived on Fri Feb 26 2021 - 17:58:11 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC