Hello again Doko, I'm reaching out once again (and updating the bug) to ask if perhaps you could take a look at my patch. I really just want to remove 4 lines of code! https://salsa.debian.org/maker-guest/python3/commit/ecb4c4647e99243d03888ee5ddec5dfdfd223d5c
I tested the compiled packaged (once again, on your updated revision) and everything seemed okay on my machine. I tried to reach out to you via Holger, who said I should double-check for potential performance issues and whether other distributions use it. On fedora, Giovanni tested python3-3.7.3-1.fc30.i686.rpm $ hardening-check python3 python3: Position Independent Executable: yes Stack protected: no, not found! Fortify Source functions: unknown, no protectable libc functions used Read-only relocations: yes Immediate binding: yes Attached, you will find the result of pyperformance compare between python3.8 compiled with -fPIE and without. I don't really buy the argument of performance loss in a language like python, especially given the big attack surface we are offering right now; anyways, just for the record, it's between 2-5x slower, which doesn't seem so dramatic to me. I also find it very suspicious that in the git log (of python 3 and python 2) there is no justification for disabling PIE explicitly: why this code was there in the first place? I'm going to try escalating this issue to other people in debian security if I don't get a reply within a week! Cheers,
python3.8.json ============== Performance version: 0.9.1 Report on Linux-5.2.0-3-amd64-x86_64-with-glibc2.29 Number of logical CPUs: 8 Start date: 2019-11-08 14:32:36.211112 End date: 2019-11-08 14:51:02.391168 python3.8-pie.json ================== Performance version: 0.9.1 Report on Linux-5.2.0-3-amd64-x86_64-with-glibc2.29 Number of logical CPUs: 8 Start date: 2019-11-08 16:00:57.381387 End date: 2019-11-08 16:52:30.050092 ### 2to3 ### Mean +- std dev: 382 ms +- 30 ms -> 1510 ms +- 16 ms: 3.95x slower Significant (t=-257.30) ### chameleon ### Mean +- std dev: 9.73 ms +- 0.54 ms -> 50.93 ms +- 1.22 ms: 5.23x slower Significant (t=-239.69) ### chaos ### Mean +- std dev: 114 ms +- 3 ms -> 601 ms +- 13 ms: 5.27x slower Significant (t=-290.39) ### crypto_pyaes ### Mean +- std dev: 119 ms +- 3 ms -> 600 ms +- 12 ms: 5.02x slower Significant (t=-302.80) ### deltablue ### Mean +- std dev: 7.37 ms +- 0.18 ms -> 37.79 ms +- 1.15 ms: 5.13x slower Significant (t=-202.75) ### django_template ### Mean +- std dev: 113 ms +- 3 ms -> 562 ms +- 9 ms: 4.96x slower Significant (t=-386.69) ### dulwich_log ### Mean +- std dev: 75.6 ms +- 7.0 ms -> 229.1 ms +- 2.5 ms: 3.03x slower Significant (t=-160.25) ### fannkuch ### Mean +- std dev: 483 ms +- 8 ms -> 2681 ms +- 236 ms: 5.55x slower Significant (t=-72.14) ### float ### Mean +- std dev: 124 ms +- 27 ms -> 557 ms +- 12 ms: 4.49x slower Significant (t=-113.89) ### genshi_text ### Mean +- std dev: 29.3 ms +- 0.8 ms -> 164.9 ms +- 3.2 ms: 5.63x slower Significant (t=-316.02) ### genshi_xml ### Mean +- std dev: 63.0 ms +- 1.4 ms -> 316.1 ms +- 11.5 ms: 5.02x slower Significant (t=-169.69) ### go ### Mean +- std dev: 266 ms +- 5 ms -> 1295 ms +- 27 ms: 4.87x slower Significant (t=-286.33) ### hexiom ### Mean +- std dev: 9.94 ms +- 0.18 ms -> 55.10 ms +- 1.35 ms: 5.54x slower Significant (t=-255.95) ### html5lib ### Mean +- std dev: 106 ms +- 23 ms -> 379 ms +- 11 ms: 3.58x slower Significant (t=-82.02) ### json_dumps ### Mean +- std dev: 13.0 ms +- 0.3 ms -> 58.4 ms +- 1.1 ms: 4.49x slower Significant (t=-297.94) ### json_loads ### Mean +- std dev: 27.6 us +- 3.8 us -> 94.7 us +- 2.5 us: 3.44x slower Significant (t=-113.73) ### logging_format ### Mean +- std dev: 10.7 us +- 2.1 us -> 47.0 us +- 1.1 us: 4.40x slower Significant (t=-119.27) ### logging_silent ### Mean +- std dev: 191 ns +- 4 ns -> 1088 ns +- 24 ns: 5.68x slower Significant (t=-280.28) ### logging_simple ### Mean +- std dev: 8.81 us +- 0.22 us -> 43.59 us +- 1.05 us: 4.95x slower Significant (t=-250.15) ### mako ### Mean +- std dev: 15.7 ms +- 0.4 ms -> 83.8 ms +- 1.6 ms: 5.36x slower Significant (t=-329.65) ### meteor_contest ### Mean +- std dev: 108 ms +- 6 ms -> 471 ms +- 8 ms: 4.38x slower Significant (t=-278.12) ### nbody ### Mean +- std dev: 124 ms +- 3 ms -> 643 ms +- 15 ms: 5.19x slower Significant (t=-258.26) ### nqueens ### Mean +- std dev: 99.0 ms +- 1.5 ms -> 602.6 ms +- 12.0 ms: 6.08x slower Significant (t=-322.11) ### pathlib ### Mean +- std dev: 21.0 ms +- 0.5 ms -> 81.6 ms +- 1.5 ms: 3.88x slower Significant (t=-289.94) ### pickle ### Mean +- std dev: 9.90 us +- 0.18 us -> 38.07 us +- 0.73 us: 3.85x slower Significant (t=-290.97) ### pickle_dict ### Mean +- std dev: 22.9 us +- 1.4 us -> 80.3 us +- 1.6 us: 3.51x slower Significant (t=-212.24) ### pickle_list ### Mean +- std dev: 2.86 us +- 0.05 us -> 11.88 us +- 0.27 us: 4.16x slower Significant (t=-256.33) ### pickle_pure_python ### Mean +- std dev: 491 us +- 89 us -> 2672 us +- 67 us: 5.44x slower Significant (t=-151.12) ### pidigits ### Mean +- std dev: 202 ms +- 15 ms -> 712 ms +- 12 ms: 3.52x slower Significant (t=-205.01) ### python_startup ### Mean +- std dev: 9.64 ms +- 2.40 ms -> 19.72 ms +- 0.23 ms: 2.05x slower Significant (t=-59.23) ### python_startup_no_site ### Mean +- std dev: 6.06 ms +- 0.86 ms -> 13.10 ms +- 0.22 ms: 2.16x slower Significant (t=-112.50) ### raytrace ### Mean +- std dev: 506 ms +- 35 ms -> 2870 ms +- 51 ms: 5.67x slower Significant (t=-295.46) ### regex_compile ### Mean +- std dev: 180 ms +- 3 ms -> 856 ms +- 21 ms: 4.75x slower Significant (t=-242.37) ### regex_dna ### Mean +- std dev: 172 ms +- 3 ms -> 375 ms +- 7 ms: 2.18x slower Significant (t=-198.14) ### regex_effbot ### Mean +- std dev: 3.25 ms +- 0.19 ms -> 10.15 ms +- 0.62 ms: 3.12x slower Significant (t=-82.30) ### regex_v8 ### Mean +- std dev: 24.0 ms +- 1.2 ms -> 74.9 ms +- 1.4 ms: 3.12x slower Significant (t=-212.66) ### richards ### Mean +- std dev: 69.1 ms +- 1.6 ms -> 397.4 ms +- 16.3 ms: 5.75x slower Significant (t=-155.20) ### scimark_fft ### Mean +- std dev: 355 ms +- 5 ms -> 1641 ms +- 34 ms: 4.62x slower Significant (t=-288.71) ### scimark_lu ### Mean +- std dev: 153 ms +- 3 ms -> 847 ms +- 13 ms: 5.54x slower Significant (t=-408.38) ### scimark_monte_carlo ### Mean +- std dev: 109 ms +- 2 ms -> 538 ms +- 12 ms: 4.95x slower Significant (t=-276.66) ### scimark_sor ### Mean +- std dev: 209 ms +- 5 ms -> 1135 ms +- 22 ms: 5.44x slower Significant (t=-321.28) ### scimark_sparse_mat_mult ### Mean +- std dev: 4.58 ms +- 0.28 ms -> 23.50 ms +- 0.41 ms: 5.13x slower Significant (t=-294.64) ### spectral_norm ### Mean +- std dev: 138 ms +- 2 ms -> 790 ms +- 15 ms: 5.75x slower Significant (t=-330.74) ### sqlalchemy_declarative ### Mean +- std dev: 175 ms +- 4 ms -> 551 ms +- 11 ms: 3.16x slower Significant (t=-249.33) ### sqlalchemy_imperative ### Mean +- std dev: 34.2 ms +- 0.9 ms -> 94.6 ms +- 2.4 ms: 2.76x slower Significant (t=-181.93) ### sqlite_synth ### Mean +- std dev: 3.10 us +- 0.06 us -> 8.75 us +- 0.21 us: 2.82x slower Significant (t=-204.07) ### sympy_expand ### Mean +- std dev: 594 ms +- 146 ms -> 1952 ms +- 38 ms: 3.29x slower Significant (t=-69.92) ### sympy_integrate ### Mean +- std dev: 22.4 ms +- 4.8 ms -> 83.6 ms +- 1.7 ms: 3.73x slower Significant (t=-93.50) ### sympy_str ### Mean +- std dev: 284 ms +- 9 ms -> 1156 ms +- 18 ms: 4.07x slower Significant (t=-340.56) ### sympy_sum ### Mean +- std dev: 186 ms +- 38 ms -> 619 ms +- 12 ms: 3.33x slower Significant (t=-83.09) ### telco ### Mean +- std dev: 7.06 ms +- 0.22 ms -> 26.39 ms +- 0.85 ms: 3.74x slower Significant (t=-170.88) ### tornado_http ### Mean +- std dev: 277 ms +- 10 ms -> 795 ms +- 14 ms: 2.87x slower Significant (t=-229.59) ### unpack_sequence ### Mean +- std dev: 58.0 ns +- 4.2 ns -> 332.3 ns +- 26.8 ns: 5.73x slower Significant (t=-78.30) ### unpickle ### Mean +- std dev: 14.8 us +- 2.1 us -> 71.8 us +- 1.8 us: 4.84x slower Significant (t=-162.05) ### unpickle_list ### Mean +- std dev: 5.10 us +- 0.10 us -> 21.57 us +- 0.61 us: 4.23x slower Significant (t=-207.58) ### unpickle_pure_python ### Mean +- std dev: 347 us +- 6 us -> 1926 us +- 49 us: 5.55x slower Significant (t=-250.13) ### xml_etree_generate ### Mean +- std dev: 95.4 ms +- 2.0 ms -> 495.6 ms +- 13.5 ms: 5.19x slower Significant (t=-227.78) ### xml_etree_iterparse ### Mean +- std dev: 108 ms +- 6 ms -> 386 ms +- 7 ms: 3.55x slower Significant (t=-241.51) ### xml_etree_parse ### Mean +- std dev: 161 ms +- 9 ms -> 423 ms +- 10 ms: 2.63x slower Significant (t=-158.41) ### xml_etree_process ### Mean +- std dev: 76.3 ms +- 1.9 ms -> 395.7 ms +- 8.8 ms: 5.18x slower Significant (t=-274.59)
