Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 413751

Summary: dev-lang/python: Investigate and test pax markings
Product: Gentoo Linux Reporter: Mike Gilbert <floppym>
Component: [OLD] UnspecifiedAssignee: Python Gentoo Team <python>
Status: RESOLVED WORKSFORME    
Severity: normal CC: arfrever.fta, h.v.bruinehsen, nikoli, pageexec, spender
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 413671    
Bug Blocks:    

Description Mike Gilbert gentoo-dev 2012-04-27 16:14:20 UTC 
The python ebuilds I brought over from Progress overlay call pax-mark m python from src_compile. We should determine the purpose of this.

They also depend on sys-apps/paxctl. I believe this dependency was added to workaround some bug in scanelf when it is used to mark shared libraries. See bug 413671. I am able to build python successfully without this dependency, so I believe it may be dropped.
Comment 1 Arfrever Frehtes Taifersar Arahesis 2012-04-27 19:20:49 UTC 
Dependency on sys-apps/paxctl was workaround for bug #411919.

This dependency was removed from master ebuilds before bug #413671 was filed.
http://code.google.com/p/gentoo-progress/source/detail?r=2037
This dependency was removed due to discussion in #gentoo-hardened in 2012-04-22.

pax-mark() is called to fix bug #329499. If a potential better solution in libffi/ctypes is implemented and accepted by upstreams, then pax-mark() won't be needed.
Comment 2 Mike Gilbert gentoo-dev 2012-04-28 05:04:02 UTC 
Thanks for the explanation.
Comment 3 Anthony Basile gentoo-dev 2012-05-15 15:19:27 UTC 
(In reply to comment #1)
> Dependency on sys-apps/paxctl was workaround for bug #411919.
> 
> pax-mark() is called to fix bug #329499. If a potential better solution in
> libffi/ctypes is implemented and accepted by upstreams, then pax-mark()
> won't be needed.

This is disappointing to say the least because it puts a huge hole in hardened's security.  Can we relax this condition and not insist on getting patches accepted upstream first, but rather just apply them conditionally.  Then the hardened user will just have to take the lumps for using wild and crazy patches.
Comment 4 Matt Summers (RETIRED) gentoo-dev 2012-05-15 15:22:02 UTC 
I agree with blueness, if we cannot get patches upstream and we know the patches are fine for those of us using hardened, then at the very least let the patch (or sed) be conditionally applied. It might be nice to note that the Pax feature "MPROTECT_COMPAT" helps in this area as well.
Comment 5 Arfrever Frehtes Taifersar Arahesis 2012-05-15 18:51:00 UTC 
(In reply to comment #4)

Have you even sent the patch to libffi upstream?