Message ID | 20220630132115.8247-1-michael.tremer@ipfire.org |
---|---|
State | Accepted |
Commit | 8ac8abb2695f0a780d078ed4f21412fc0113e29d |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4LYf9c3yc3z3xqm for <patchwork@web04.haj.ipfire.org>; Thu, 30 Jun 2022 13:21:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4LYf9b17qLz1F4; Thu, 30 Jun 2022 13:21:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4LYf9Z6x6lz2yVB; Thu, 30 Jun 2022 13:21:22 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4LYf9Y4NJfz2xGQ for <development@lists.ipfire.org>; Thu, 30 Jun 2022 13:21:21 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4LYf9Y07XFzS9; Thu, 30 Jun 2022 13:21:20 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1656595281; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/9DEBiEV4dY4nHiRpFun5JE+/YEMOGgL1HjUyzRlMW0=; b=jRqzMr52EcrQI7GvRWSk2ulqaMqvXK0JIZD8vV6kdm6UHwRCt1vXj+pFlQvceh+4PhRtPj 6949wl+jdKmBFWAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1656595281; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=/9DEBiEV4dY4nHiRpFun5JE+/YEMOGgL1HjUyzRlMW0=; b=fMlkAhwkmpYvHIZUmgSeLbHfZSnSoCcsOnskCpObPr0TV1XAU9YkaVvMzfsPRcNzC7RC+A UfKHKh/dE8MS5x2KzZo8haYfl1clVIYx1CUCo4N4sqU/iP323m0o+YopJvLpj8bXgk9dGB yJqSd6xl1SHtGEZj9s5ndmwQ4yRz/OVDRwAu2xVFND8c9SjTeGWCpOcWXYG4oV8qiFi8GT /aP0DYD/014LNLS6OzyLDQqJzvZ01wvhNU0JTwqoEfZrKxJ4M3KTfFo2zpwB6/jabKbj+S OLS5764zsSC+WF82qca14ONQeTzEFKtXmRNTzfU03zRl1FNa691OS5khg2F6pA== From: Michael Tremer <michael.tremer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] stripper: Strip any PIE executables Date: Thu, 30 Jun 2022 13:21:15 +0000 Message-Id: <20220630132115.8247-1-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Cc: Michael Tremer <michael.tremer@ipfire.org> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
stripper: Strip any PIE executables
|
|
Commit Message
Michael Tremer
June 30, 2022, 1:21 p.m. UTC
Fixes: #12894
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
src/stripper | 4 ++++
1 file changed, 4 insertions(+)
Comments
Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > Fixes: #12894 > Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> > --- > src/stripper | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/src/stripper b/src/stripper > index fadbc514b..4014f03a4 100755 > --- a/src/stripper > +++ b/src/stripper > @@ -38,6 +38,10 @@ function _strip() { > args+=( "--strip-all" ) > ;; > > + *Type:*"DYN (Position-Independent Executable file)"*) > + args+=( "--strip-all" ) > + ;; > + > # Binaries > *Type:*"EXEC (Executable file)"*) > args+=( "--strip-all" )
Hello Michael, just a short follow-up question on this: Do we need to re-ship all affected packages again? Or is it fine to let users benefit from stripped PIE executables when we update affected components anyway? Thanks, and best regards, Peter Müller > Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > >> Fixes: #12894 >> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >> --- >> src/stripper | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/src/stripper b/src/stripper >> index fadbc514b..4014f03a4 100755 >> --- a/src/stripper >> +++ b/src/stripper >> @@ -38,6 +38,10 @@ function _strip() { >> args+=( "--strip-all" ) >> ;; >> + *Type:*"DYN (Position-Independent Executable file)"*) >> + args+=( "--strip-all" ) >> + ;; >> + >> # Binaries >> *Type:*"EXEC (Executable file)"*) >> args+=( "--strip-all" )
Good question. I did not even think about this. I could not find many executables that fell into this category. Maybe about 10. Out of those, dnsdist was the largest one - by far. So I would say, it isn’t worth it except for dnsdist. -Michael > On 6 Jul 2022, at 10:56, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > just a short follow-up question on this: Do we need to re-ship all affected packages again? > Or is it fine to let users benefit from stripped PIE executables when we update affected > components anyway? > > Thanks, and best regards, > Peter Müller > > >> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> >> >>> Fixes: #12894 >>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>> --- >>> src/stripper | 4 ++++ >>> 1 file changed, 4 insertions(+) >>> >>> diff --git a/src/stripper b/src/stripper >>> index fadbc514b..4014f03a4 100755 >>> --- a/src/stripper >>> +++ b/src/stripper >>> @@ -38,6 +38,10 @@ function _strip() { >>> args+=( "--strip-all" ) >>> ;; >>> + *Type:*"DYN (Position-Independent Executable file)"*) >>> + args+=( "--strip-all" ) >>> + ;; >>> + >>> # Binaries >>> *Type:*"EXEC (Executable file)"*) >>> args+=( "--strip-all" )
Hello Michael, thanks for your swift response. Okay, I will then just bump the version number of dnsdist. All the best, Peter Müller > Good question. I did not even think about this. > > I could not find many executables that fell into this category. Maybe about 10. Out of those, dnsdist was the largest one - by far. > > So I would say, it isn’t worth it except for dnsdist. > > -Michael > >> On 6 Jul 2022, at 10:56, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello Michael, >> >> just a short follow-up question on this: Do we need to re-ship all affected packages again? >> Or is it fine to let users benefit from stripped PIE executables when we update affected >> components anyway? >> >> Thanks, and best regards, >> Peter Müller >> >> >>> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> >>> >>>> Fixes: #12894 >>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>>> --- >>>> src/stripper | 4 ++++ >>>> 1 file changed, 4 insertions(+) >>>> >>>> diff --git a/src/stripper b/src/stripper >>>> index fadbc514b..4014f03a4 100755 >>>> --- a/src/stripper >>>> +++ b/src/stripper >>>> @@ -38,6 +38,10 @@ function _strip() { >>>> args+=( "--strip-all" ) >>>> ;; >>>> + *Type:*"DYN (Position-Independent Executable file)"*) >>>> + args+=( "--strip-all" ) >>>> + ;; >>>> + >>>> # Binaries >>>> *Type:*"EXEC (Executable file)"*) >>>> args+=( "--strip-all" ) >
Did I not submit an update to that somewhere anyways? > On 6 Jul 2022, at 11:00, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > > thanks for your swift response. > > Okay, I will then just bump the version number of dnsdist. > > All the best, > Peter Müller > > >> Good question. I did not even think about this. >> >> I could not find many executables that fell into this category. Maybe about 10. Out of those, dnsdist was the largest one - by far. >> >> So I would say, it isn’t worth it except for dnsdist. >> >> -Michael >> >>> On 6 Jul 2022, at 10:56, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> Hello Michael, >>> >>> just a short follow-up question on this: Do we need to re-ship all affected packages again? >>> Or is it fine to let users benefit from stripped PIE executables when we update affected >>> components anyway? >>> >>> Thanks, and best regards, >>> Peter Müller >>> >>> >>>> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> >>>> >>>>> Fixes: #12894 >>>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>>>> --- >>>>> src/stripper | 4 ++++ >>>>> 1 file changed, 4 insertions(+) >>>>> >>>>> diff --git a/src/stripper b/src/stripper >>>>> index fadbc514b..4014f03a4 100755 >>>>> --- a/src/stripper >>>>> +++ b/src/stripper >>>>> @@ -38,6 +38,10 @@ function _strip() { >>>>> args+=( "--strip-all" ) >>>>> ;; >>>>> + *Type:*"DYN (Position-Independent Executable file)"*) >>>>> + args+=( "--strip-all" ) >>>>> + ;; >>>>> + >>>>> # Binaries >>>>> *Type:*"EXEC (Executable file)"*) >>>>> args+=( "--strip-all" ) >>
Hello Michael, > Did I not submit an update to that somewhere anyways? yes, you did: https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=bf7bfc3df6a3fc4e55908a9b80bcf06e51e3b46b This fell through the cracks when compiling the changelog for C169 - thanks for bringing this up. As for C170, bumping the package version is required nevertheless. All the best, Peter Müller > >> On 6 Jul 2022, at 11:00, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> Hello Michael, >> >> thanks for your swift response. >> >> Okay, I will then just bump the version number of dnsdist. >> >> All the best, >> Peter Müller >> >> >>> Good question. I did not even think about this. >>> >>> I could not find many executables that fell into this category. Maybe about 10. Out of those, dnsdist was the largest one - by far. >>> >>> So I would say, it isn’t worth it except for dnsdist. >>> >>> -Michael >>> >>>> On 6 Jul 2022, at 10:56, Peter Müller <peter.mueller@ipfire.org> wrote: >>>> >>>> Hello Michael, >>>> >>>> just a short follow-up question on this: Do we need to re-ship all affected packages again? >>>> Or is it fine to let users benefit from stripped PIE executables when we update affected >>>> components anyway? >>>> >>>> Thanks, and best regards, >>>> Peter Müller >>>> >>>> >>>>> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> >>>>> >>>>>> Fixes: #12894 >>>>>> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> >>>>>> --- >>>>>> src/stripper | 4 ++++ >>>>>> 1 file changed, 4 insertions(+) >>>>>> >>>>>> diff --git a/src/stripper b/src/stripper >>>>>> index fadbc514b..4014f03a4 100755 >>>>>> --- a/src/stripper >>>>>> +++ b/src/stripper >>>>>> @@ -38,6 +38,10 @@ function _strip() { >>>>>> args+=( "--strip-all" ) >>>>>> ;; >>>>>> + *Type:*"DYN (Position-Independent Executable file)"*) >>>>>> + args+=( "--strip-all" ) >>>>>> + ;; >>>>>> + >>>>>> # Binaries >>>>>> *Type:*"EXEC (Executable file)"*) >>>>>> args+=( "--strip-all" ) >>> >
diff --git a/src/stripper b/src/stripper index fadbc514b..4014f03a4 100755 --- a/src/stripper +++ b/src/stripper @@ -38,6 +38,10 @@ function _strip() { args+=( "--strip-all" ) ;; + *Type:*"DYN (Position-Independent Executable file)"*) + args+=( "--strip-all" ) + ;; + # Binaries *Type:*"EXEC (Executable file)"*) args+=( "--strip-all" )