[14:39] <ahasenack> hi #security, I'm doing an SRU for nfs-utils, and was wondering if I should include this fix in it: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1980095
[14:39] <ahasenack> I *think* you would say yes, and the only reason I can think of to not include it is some fear of regression that would be difficult to catch in testing without a wider audience using the package
[14:40] <ahasenack> but in a sense, it regressed in jammy, by being built without the hardening flags
[14:44] <mdeslaur> hrm, that's a good question
[14:44] <mdeslaur> sbeattie: ^
[14:49] <ahasenack> I do have other srus planned for nfs-utils later on, we could include it in one of those, to give the current package in kinetic more "cooking time" (it has the hardening fix)
[14:49] <ahasenack> point is, I think, it on its own probably does not warrant an SRU
[15:00] <mdeslaur> I'm not sure what the impact is of turning those on for libraries, which is why I asked sbeattie 
[16:40] <sbeattie> ahasenack: yes, please include a fix for that, if you can. I verified that not just the hardening config was there in the libnfsidmap rules but that the actual shared objects had them applied.
[16:40] <sbeattie> and thanks!
[16:42] <ahasenack> ok, will do
[17:15] <ahasenack> sbeattie: do you happen do have a quick way to check at runtime, analyzing the binary file, if hardening flags were applied?
[17:15] <ahasenack> some objdump-foo
[17:16] <ahasenack> maybe what lintian does, but that is perl code, not my cup of tea ;)
[17:22] <ahasenack> maybe https://git.launchpad.net/qa-regression-testing/tree/scripts/test-built-binaries.py ?
[17:23] <ahasenack> that's a large script
[17:36] <sarnold> ahasenack: devscripts: /usr/bin/hardening-check
[17:36] <sarnold> oh hah that big pile of python calls that :)
[17:36] <ahasenack> TIL hardening-check
[17:37] <sarnold> I'd forgotten we had stackclash stuff in there
[17:37] <ahasenack> I look at those qa scripts, and at the top see ubuntu release names like hardy, or lucid :)
[17:42] <sarnold> reliable releases, releases that you know are running something *important* somewhere..
[17:53] <sbeattie> ahasenack: yeah, I have a low level todo to remove some of the logic around releases that have been out of support for 7+ years now...
[17:53] <ahasenack> so I ran hardening-check on the libs from libnfsidmap1, and looks like FORTIFY_SOURCE was enabled already, even without any hardening flags in d/rules
[17:53] <ahasenack> but "immediate binding" is definitely flipped to on in the new builds
[17:55] <ahasenack> and compared to focal, we got some new ones
[17:55] <ahasenack> "control flow integrity: yes"
[17:57] <ahasenack> ah, the "no fortify source" lintian warning I got when I filed the bug was from another source package, src:libnfsidmap-regex