On 08.11.19 17:21, Michele Orrù wrote:
Hello again Doko,
I'm reaching out once again (and updating the bug) to ask if perhaps you
could take a look at my patch. I really just want to remove 4 lines of
code!
https://salsa.debian.org/maker-guest/python3/commit/ecb4c4647e99243d03888ee5ddec5dfdfd223d5c
I tested the compiled packaged (once again, on your updated revision) and
everything seemed okay on my machine.
I tried to reach out to you via Holger, who said I should double-check for
potential performance issues and whether other distributions use it.
On fedora, Giovanni tested python3-3.7.3-1.fc30.i686.rpm
$ hardening-check python3
python3:
Position Independent Executable: yes
Stack protected: no, not found!
Fortify Source functions: unknown, no protectable libc functions used
Read-only relocations: yes
Immediate binding: yes
Attached, you will find the result of pyperformance compare between
python3.8 compiled with -fPIE and without. I don't really buy the argument
of performance loss in a language like python, especially given the big
attack surface we are offering right now; anyways, just for the record,
it's between 2-5x slower, which doesn't seem so dramatic to me.
I also find it very suspicious that in the git log (of python 3 and python
2) there is no justification for disabling PIE explicitly: why this code
was there in the first place?
I'm going to try escalating this issue to other people in debian security
if I don't get a reply within a week!
seriously? For a few months you are writing emails without subject landing in
my spam folder, and then you are starting threats?
> other people in debian security
can't find you in
https://www.debian.org/intro/organization#security
I also doubt very much your numbers, 2.5 - 5 times slower is not expected. PIE
has some impact, but not that bad.
Matthias
