lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 7 May 2018 15:58:57 +0900
From:   Masahiro Yamada <yamada.masahiro@...ionext.com>
To:     Mark Wielaard <mjw@...oraproject.org>
Cc:     Laura Abbott <labbott@...hat.com>,
        Andy Lutomirski <luto@...nel.org>,
        "H . J . Lu" <hjl.tools@...il.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        X86 ML <x86@...nel.org>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Nick Clifton <nickc@...hat.com>,
        Cary Coutant <ccoutant@...il.com>,
        Linux Kbuild mailing list <linux-kbuild@...r.kernel.org>
Subject: Re: [RFCv2 PATCH 0/3] Salted build ids via linker sections

2018-03-30 21:40 GMT+09:00 Mark Wielaard <mjw@...oraproject.org>:
> On Thu, 2018-03-29 at 11:01 -0700, Laura Abbott wrote:
>> I'm still mostly looking for feedback whether
>> this would be acceptable for merging or if we should just persue a
>> --build-id-salt in binutils.
>
> Personally I would go with this approach. It seems simple and it might
> take years before a new linker option is available everywhere.


Indeed.  This series is easier than --build-id-salt.

If you do not see any better solution, I can accept this.


BTW, when I read
https://fedoraproject.org/wiki/Changes/ParallelInstallableDebuginfo
I thought "we could reverse the symlink direction from debug file to
build-id file)"
sensible (but I understand it is not easy to change this way).


If two packages share an identical image,
one package can borrow the image from the other,
then the storage space will be saved.

So, having identical ID should be advantage,
but we actually see only disadvantage...




> To simplify things I think you could just always add the extra vdso
> .comment initialized to something like KERNELRELEASE. Which distros
> seem to update anyway to include their build number, so they wouldn't
> need to do anything special to "update the build salt".
>






-- 
Best Regards
Masahiro Yamada

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ