[Bug 1966349] Re: FFe: Enable PIE for python 3.10 in jammy
Steve Langasek
1966349 at bugs.launchpad.net
Fri Mar 25 00:09:31 UTC 2022
I approve this FFe. The risk is largely limited to performance
regressions, and work has been done to verify that performance has not
significantly regressed; this is a significant security improvement;
other distros are already shipping this; and regressions are mitigated
by the presence of a -nopie package that users can install if they run
into problems. We should get this done for the next LTS.
Moving status straight to 'fix released' as this is already in the
archive.
** Changed in: python3.10 (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.10 in Ubuntu.
https://bugs.launchpad.net/bugs/1966349
Title:
FFe: Enable PIE for python 3.10 in jammy
Status in python3.10 package in Ubuntu:
Fix Released
Bug description:
As per LP: #1452115 enabling the python interpreter to be compiled as
a position independent executable (PIE) has been a long standing
request for Ubuntu. Various testing[1] has shown this to have a
minimal performance impact for amd64. However, due to ongoing concerns
around possible performance impacts on other architectures or other
workloads, it is desirable to allow users to still use a non-PIE
enabled python interpreter if they wish.
As such, the python3.10 source package will generate both the existing
python3.10 binary package, which will have the python3 binary compiled
with PIE, as well as an additional python3.10-nopie binary package,
which will *not* enable PIE. This will allow users who wish to not use
PIE to install the python3.10-nopie binary package instead.
As outlined in LP: #1452115, the primary motivation to introduce PIE
as default for python is that this allows the dynamic loader to
perform address space layout randomisation for the python executable.
In turn this provides some hardening against memory corruption attacks
which may target the python interpreter, making it harder to exploit
any future such vulnerabilities on Ubuntu.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.10/+bug/1966349/+subscriptions
More information about the foundations-bugs
mailing list