[Bug 1966349] [NEW] FFe: Enable PIE for python 3.10 in jammy
Alex Murray
1966349 at bugs.launchpad.net
Fri Mar 25 00:00:35 UTC 2022
Public bug reported:
As per LP: #1452115 enabling the python interpreter to be compiled as a
position independent executable (PIE) has been a long standing request
for Ubuntu. Various testing[1] has shown this to have a minimal
performance impact for amd64. However, due to ongoing concerns around
possible performance impacts on other architectures or other workloads,
it is desirable to allow users to still use a non-PIE enabled python
interpreter if they wish.
As such, the python3.10 source package will generate both the existing
python3.10 binary package, which will have the python3 binary compiled
with PIE, as well as an additional python3.10-nopie binary package,
which will *not* enable PIE. This will allow users who wish to not use
PIE to install the python3.10-nopie binary package instead.
As outlined in LP: #1452115, the primary motivation to introduce PIE as
default for python is that this allows the dynamic loader to perform
address space layout randomisation for the python executable. In turn
this provides some hardening against memory corruption attacks which may
target the python interpreter, making it harder to exploit any future
such vulnerabilities on Ubuntu.
** Affects: python3.10 (Ubuntu)
Importance: Undecided
Status: Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.10 in Ubuntu.
https://bugs.launchpad.net/bugs/1966349
Title:
FFe: Enable PIE for python 3.10 in jammy
Status in python3.10 package in Ubuntu:
Fix Released
Bug description:
As per LP: #1452115 enabling the python interpreter to be compiled as
a position independent executable (PIE) has been a long standing
request for Ubuntu. Various testing[1] has shown this to have a
minimal performance impact for amd64. However, due to ongoing concerns
around possible performance impacts on other architectures or other
workloads, it is desirable to allow users to still use a non-PIE
enabled python interpreter if they wish.
As such, the python3.10 source package will generate both the existing
python3.10 binary package, which will have the python3 binary compiled
with PIE, as well as an additional python3.10-nopie binary package,
which will *not* enable PIE. This will allow users who wish to not use
PIE to install the python3.10-nopie binary package instead.
As outlined in LP: #1452115, the primary motivation to introduce PIE
as default for python is that this allows the dynamic loader to
perform address space layout randomisation for the python executable.
In turn this provides some hardening against memory corruption attacks
which may target the python interpreter, making it harder to exploit
any future such vulnerabilities on Ubuntu.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.10/+bug/1966349/+subscriptions
More information about the foundations-bugs
mailing list