From Fedora Project Wiki
(Undo revision 660364 by Siddhesh (talk))
Tag: Undo
Line 82: Line 82:
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook.-->
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook.-->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{38|next}}|List of deliverables]]: TODO <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->



Revision as of 13:55, 4 November 2022


Add _FORTIFY_SOURCE=3 to distribution build flags

Summary

Replace the current _FORTIFY_SOURCE=2 with _FORTIFY_SOURCE=3 to improve mitigation of security issues arising from buffer overflows in packages in Fedora.

Owner

Current status

  • Targeted release: Fedora 38
  • Last updated: 2022-11-04
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Benefit to Fedora

Improved security.


Scope

  • Proposal owners:

Build all packages and report failures.

  • Other developers:

Fix bugs filed for build failures.

  • Policies and guidelines: None
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

No ABI change, so there should be no impact on compatibility in a mixed environment.

How To Test

- fortify-metrics to get compiler level metrics of coverage improvement - Smoke testing of packages to ensure that they continue to work correctly. Some packages may have overflows exposed at runtime, which may need to be fixed.


User Experience

No noticeable change to users.

Dependencies

None.

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

TODO

Release Notes