Arch linux seems to have PIE too: $ file /usr/bin/python3.7 /usr/bin/python3.7: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=edce9cb329b348463d5c868aa48bac4e146ce0e7, for GNU/Linux 3.2.0, stripped
Hope this clarifies a bit more what «other distros also do» meant in the top message. Ciao, On Fri, Nov 8, 2019 at 5:21 PM Michele Orrù <michele.o...@ens.fr> wrote: > Hello again Doko, > > I'm reaching out once again (and updating the bug) to ask if perhaps you > could take a look at my patch. I really just want to remove 4 lines of > code! > > https://salsa.debian.org/maker-guest/python3/commit/ecb4c4647e99243d03888ee5ddec5dfdfd223d5c > > I tested the compiled packaged (once again, on your updated revision) and > everything seemed okay on my machine. > > I tried to reach out to you via Holger, who said I should double-check for > potential performance issues and whether other distributions use it. > > On fedora, Giovanni tested python3-3.7.3-1.fc30.i686.rpm > > $ hardening-check python3 > python3: > Position Independent Executable: yes > Stack protected: no, not found! > Fortify Source functions: unknown, no protectable libc functions used > Read-only relocations: yes > Immediate binding: yes > > > Attached, you will find the result of pyperformance compare between > python3.8 compiled with -fPIE and without. I don't really buy the argument > of performance loss in a language like python, especially given the big > attack surface we are offering right now; anyways, just for the record, > it's between 2-5x slower, which doesn't seem so dramatic to me. > > I also find it very suspicious that in the git log (of python 3 and python > 2) there is no justification for disabling PIE explicitly: why this code > was there in the first place? > > > I'm going to try escalating this issue to other people in debian security > if I don't get a reply within a week! > Cheers, >
