Date: Fri, 26 Aug 2016 19:00:09 +0300 From: Konstantin Belousov <kostikbel@gmail.com> To: Pedro Giffuni <pfg@FreeBSD.org> Cc: freebsd-toolchain@FreeBSD.org Subject: Re: Time to enable partial relro Message-ID: <20160826160009.GU83214@kib.kiev.ua> In-Reply-To: <a9e93c24-9c30-29e4-b949-faa1a7928606@FreeBSD.org> References: <b75890eb-d8bd-759e-002f-ab0c16db0975@FreeBSD.org> <20160826105618.GS83214@kib.kiev.ua> <a9e93c24-9c30-29e4-b949-faa1a7928606@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 26, 2016 at 10:00:58AM -0500, Pedro Giffuni wrote: > > > On 08/26/16 05:56, Konstantin Belousov wrote: > > On Thu, Aug 25, 2016 at 05:50:31PM -0500, Pedro Giffuni wrote: > >> Hello; > >> > >> GNU RELRO support was committed in r230784 (2012-01-30) but we never > >> enabled it by default. > >> > >> There was some discussion about it on > >> https://reviews.freebsd.org/D3001 > >> > >> By now, all Linux distributions, NetBSD and DragonFly support it and > >> it is the default for most systems in binutils 2.27. > >> > >> This doesn't affect performance, I ran it through an exp-run last > >> year, no other OS has had issues etc ... seems safe and can be > >> disabled if needed when linking. > > Exp-run does not test anything interesting about relro. If all testing > > that was done is basically just an exp-run, then there was no useful > > runtime testing done. > > > > The exp-run does cover Java and other VM-type thingies that bootstrap. > For upstream binutils this is now the default (at least for linux, > they never ask us if we want to follow). So the change has been tested > extensively but perhaps not on cases that are relevant to us. > > Note that the "fix" for any port is ultimately trivial: > LDFLAGS+= "-z norelro" > > >> > >> I think it's time to enable it be default in our base binutils. If > >> there are no objections, I will just commit the attached patch over > >> the weekend. > > > > There are objections, the change must be runtime tested on large and > > representative set of real-world applications before turning the knob. > > > > You are not giving any hint on what would be a "representative set of > real-world applications". Given that you committed the initial support > your objection stands very high and is a blocker. :( Well, I indeed do not think that 'works on my desktop' is good enough testing for this change. I understand that it is impossible to test all ports at runtime, or even a significant percentage of them, not to mention programs which sit on the user's storage. What actually worries me in the fate of such changes is that submitter never starts monitoring user complains and see whether the change causes some delayed random breakage. It just ends up in the 'BSD is broken' basket with one more supportive case. > > As I see it committing it now would give ample time to test this in > current before it hits any release. If you want more extensive testing > merging it in -stable right after the 11-Release is guaranteed to help > weed out any remaining update ports may need. It is useless 'testing' when the cause of breakage is not actively looked for and identified. You commit it now, five months later some unlucky user reports that his application coredumps. What next ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160826160009.GU83214>