On Fri, Feb 26, 2021 at 08:32:26PM +0100, Gordon Bergling wrote: > On Fri, Feb 26, 2021 at 08:57:55PM +0200, Konstantin Belousov wrote: > > On Fri, Feb 26, 2021 at 07:34:03PM +0100, Gordon Bergling wrote: > > > On Thu, Feb 25, 2021 at 03:58:07PM -0500, Ed Maste wrote: > > > > As of 9a227a2fd642 (main-n245052) base system binaries are now built > > > > as position-independent executable (PIE) by default, for 64-bit > > > > architectures. PIE executables are used in conjunction with address > > > > randomization as a mitigation for certain types of security > > > > vulnerabilities. > > > > > > > > If you track -CURRENT and normally build WITHOUT_CLEAN you'll need to > > > > do one initial clean build -- either run `make cleanworld` or set > > > > WITH_CLEAN=yes. > > > > > > > > No significant user-facing changes are expected from this change, but > > > > there are some minor ones. For example, `file` will indicate that > > > > binaries are PIE by reporting something like `ELF 64-bit LSB pie > > > > executable` rather than `ELF 64-bit LSB executable`. Also, for most > > > > workloads no notable performance impact is expected. > > > > > > > > For almost all ports this should result in no change. There are a > > > > small number of ports that use base system /usr/share/mk > > > > infrastructure and thus inherit the base system default, and some of > > > > those initially failed to build. Those found during an exp-run in > > > > PR253275 have been addressed or have patches waiting. > > > > > > > > Please watch out for any new issues after you next update the base > > > > system and/or ports, and report issues via a Bugzilla PR or in reply > > > > here. > > > > > > Thats a huge step forward in terms on security. > > Can you explain why? > > > > Thanks. > > I can try. Enabling PIE for every 64bit architecture is in that matter a step > forward in security as it enables ASLR for further adoption. But isn't it well-known that ASLR/ASR/any-related-buzzwork does not add any security, except imaginary? The only purpose of it is to have a check-list item ticked green. You clearly should mean something useful and much more important than that, when stating that FreeBSD made a huge step forward. So I want to be aware of the advance.Received on Sat Feb 27 2021 - 23:47:22 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC