Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build hardening #1009

Merged
merged 2 commits into from
Feb 27, 2021
Merged

Build hardening #1009

merged 2 commits into from
Feb 27, 2021

Conversation

mayeut
Copy link
Member

@mayeut mayeut commented Feb 21, 2021

  • Use hardening for building all tools & libraries
    This does not affect the wheels that are produced by end users as proposed in Enable hardening of binaries included in the wheels built for manylinux  #59 but mitigates potential security issues in the tools used by manylinux images as mentioned in CVE-2021-3177 #1005
  • Always update system packages in the final step
    Since docker cache is used, system packages are not updated when cache is present. Always update them in the final step.

@mayeut mayeut marked this pull request as draft February 21, 2021 15:59
@mayeut mayeut force-pushed the build-hardening branch 2 times, most recently from acb8517 to b0c82bc Compare February 21, 2021 23:42
@mayeut mayeut marked this pull request as ready for review February 22, 2021 20:52
@mayeut
Copy link
Member Author

mayeut commented Feb 22, 2021

@trishankatdatadog, @aws-taylor, @wallrj,

Any thoughts on this PR ?

@trishankatdatadog
Copy link
Member

Good idea. What about all the other default flags?

@mayeut
Copy link
Member Author

mayeut commented Feb 24, 2021

All other flags I can think of for security purposes do not work on those old distros:

-fPIE / -Wl,-pie
-fstack-clash-protection
-fcf-protection

@trishankatdatadog
Copy link
Member

All other flags I can think of for security purposes do not work on those old distros:

Understood. If so, let's link to that document I sent, and comment on why we turned on only some flags and not others?

@mayeut
Use hardening for building all tools & libraries
cbc1585 
This does not affect the wheels that are produced by end users as proposed in pypa#59 but mitigates potential security issues in the tools used by manylinux images as mentioned in pypa#1005
@mayeut
Always update system packages in the final step
b0d5640 
Since docker cache is used, system packages are not updated when cache is present. Always update them in the final step.
@mayeut mayeut merged commit 114e2c5 into pypa:master Feb 27, 2021
@mayeut mayeut deleted the build-hardening branch February 27, 2021 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trishankatdatadog trishankatdatadog Awaiting requested review from trishankatdatadog

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@mayeut @trishankatdatadog