> I'm on the fence about this. Basically, you are asking all users of ruby to > accept additional insecurity, because you want to use an extension that most > users of ruby are not using.
Ruby upstream inadvertently created that situation by participating in a culture of runtime use of W^X violating libraries. > As an occasional user of therubyracer, I can understand your frustration. > I think a better solution would be to allow users that want to allow W|X > to mark such executables themselves, instead of forcing all users to > accept insecurity for the convenience of a few. However, I'm not > qualified to determine if that is a feasible idea. Well, there is no way to mark an executable after the fact. We are heading that way intentionally -- the *development* process marks the binaries. It is done at link time in the package, and they only run on filesystems that permit it. This decision is intentional. We don't want our users tweaking /usr/local. If every user may/can/will mark their executables, why would the upstreams ever walk away from creating writeable+executable mappings? Where is the backpressure against the upstream developers, to prod them into the direction of writing better software? In your proposal, that is absent. Then future upstream software developers will not get a sense that W^X violating software is a bad idea, and more of it will be produced. Yes, maybe the end result is that 20% of /usr/local is marked wxneeded, because of library dependencies. It will be the TRUTH. We need the truth to be blatant, before upstreams pay attention. Right now there insufficient documentation on how bad the W^X JIT situation really is, wxneeded markers are going to expose the situation.
