[Bug 1966349] Re: FFe: Enable PIE for python 3.10 in jammy

Steve Langasek 1966349 at bugs.launchpad.net
Fri Mar 25 00:09:31 UTC 2022


I approve this FFe.  The risk is largely limited to performance
regressions, and work has been done to verify that performance has not
significantly regressed; this is a significant security improvement;
other distros are already shipping this; and regressions are mitigated
by the presence of a -nopie package that users can install if they run
into problems.  We should get this done for the next LTS.

Moving status straight to 'fix released' as this is already in the
archive.

** Changed in: python3.10 (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.10 in Ubuntu.
https://bugs.launchpad.net/bugs/1966349

Title:
  FFe: Enable PIE for python 3.10 in jammy

Status in python3.10 package in Ubuntu:
  Fix Released

Bug description:
  As per LP: #1452115 enabling the python interpreter to be compiled as
  a position independent executable (PIE) has been a long standing
  request for Ubuntu. Various testing[1] has shown this to have a
  minimal performance impact for amd64. However, due to ongoing concerns
  around possible performance impacts on other architectures or other
  workloads, it is desirable to allow users to still use a non-PIE
  enabled python interpreter if they wish.

  As such, the python3.10 source package will generate both the existing
  python3.10 binary package, which will have the python3 binary compiled
  with PIE, as well as an additional python3.10-nopie binary package,
  which will *not* enable PIE. This will allow users who wish to not use
  PIE to install the python3.10-nopie binary package instead.

  As outlined in LP: #1452115, the primary motivation to introduce PIE
  as default for python is that this allows the dynamic loader to
  perform address space layout randomisation for the python executable.
  In turn this provides some hardening against memory corruption attacks
  which may target the python interpreter, making it harder to exploit
  any future such vulnerabilities on Ubuntu.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.10/+bug/1966349/+subscriptions




More information about the foundations-bugs mailing list