tech-pkg: Re: shared objects installed without execute permission bogus warning?

Subject: Re: shared objects installed without execute permission bogus warning?
To: Todd Vierling <tv@duh.org>
From: grant beattie <grant@NetBSD.org>
List: tech-pkg
Date: 10/28/2004 10:49:53

--E75mJrUy8lRi9cGN
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Oct 27, 2004 at 08:39:22PM -0400, Todd Vierling wrote:

> > we are now effectively forcing our ways on users/platforms that
> > relaxed such requirements a long time ago, for absolutely *no* gain.
>=20
> As I mentioned, there have been musings about various ways to reduce the
> exposure of mmap's PROT_EXEC (on various Un*xen), and one such way is
> reintroducing the inode execute permission bit as a constraint.  That much
> aside, the warnings encourage pkgsrc maintainers to fix third party softw=
are
> to be more portable, which is a real-world gain.

that assumes we want to a) actually do that, b) maintain such patches.
I don't think too many people will be rushing out to do this because
there is zero gain and extra pain on every platform except Interix.

as for platforms exposing mmap's PROT_EXEC, that's platform specific
functionality and should be treated as such.

> You can certainly feel free to ignore the warnings.  They don't hurt you,
> and certainly don't cause the software to break on such "relaxed"
> platforms.[*]  But they do offer a way to ensure that the bug gets notice=
d.
>=20
> =3D=3D
>=20
> [*] Which makes me wonder what the big deal is.  It's just a few lines of
>     text in the build output; what is the problem?  Would putting the code
>     in question under PKG_DEVELOPER=3DYES make it more palatable?

the "big deal" is that we are now doing something that is
fundamentally different from the norm on all platforms, where there is
only one platform actually affected. if this was an issue across the
board, then the argument for doing it across the board would be much
more compelling.

if there are compelling reasons to do things differently to the platform
default *for every platform*, I haven't yet seen them. indeed, we
actively *avoid* doing that for very good reasons.

grant.

--E75mJrUy8lRi9cGN
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFBgEIxluYOb9yiFXoRAkVRAJ95kZauoRyHSKUsbOZIYzrrgVN2MACgjVQv
TniT8FijfsIbS4KIld++vuU=
=SQpA
-----END PGP SIGNATURE-----

--E75mJrUy8lRi9cGN--