> > On Mon, Aug 08, 2016 at 09:33:50AM -0600, Theo de Raadt wrote: > >> > On 2016-08-07, Carlin Bingham <c...@viennan.net> wrote: > >> > > >> > > What should be done for ports like (just for example) calibre? > >> > > It uses python, and uses PyQtWebkit to pull in Qt5Webkit which maps WX > >> > > for its jit. Python itself doesn't need wxneeded but for calibre (and > >> > > possibly other ports) to work it will. > >> > > >> > I don't know how to handle this. The model of tying wxneeded > >> > permissions to an executable is ill suited for this. > >> > > >> > Maybe have both python and python-wx and use the latter for things > >> > like calibre? > >> > Do we have Perl module that violates W^X in the ports tree? > >> > > >> > Ideas? > >> > >> Just mark python, and move on. > >> > >> In a few months we'll be able to circle back and decide. > > This does the trick and allows me to run something using > > PyQtWebkit/Qt5Webkit: > > It would be nice if we could create wxneeded executables *after* link > time. It would then be easy to tweak ports that use > libs like PyQtWebkit/Qt5Webkit to point at eg > /usr/local/bin/python2.7-wxneeded.
I don't like it. The purpose of wxneeded is to get us over this hump where the ecosystem has some software which requires W|X behaviour. By doing so, it will curate a list of software which has the bad practice. If all software which needs the option has the flag, there's your list. Eventually we can get request that all the software on this list gets fixed -- or choose with our feet to use software which gets it right -- and then we can delete the wxneeded flag. One by one. I am completely serious. I was serious when we made the stack-protector mandatory, and got the world to accept that. I was serious when we made ASLR mandatory, and got the world to accept that. I was serious lots of other times when we made the safe code path mandatory, and slowly dragged software on the wrong track towards the right path. Yes, it will take 1-2 decades, like the others. And that doesn't bother me. Check back in 20 years and tell me if I was right or wrong! In the meantime, let's not abuse a system-dependent temporary measure.
