Package: python3.11-minimal Version: 3.11.1-2 Severity: normal X-Debbugs-Cc: j.fi...@gmail.com
Dear Maintainer, if I understood it correctly, the Python 3.10 and later should be compiled as PIE (position independent executable). That is why there are the new packages python3-nopie, python3.10-nopie, and 3.11-nopie. But 3.11 is not a PIE. I checked arm64, amd64, armhf, armel, and i386 architectures. $ file /usr/bin/python3.11 /usr/bin/python3.11: ELF 64-bit LSB executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=8dad83d75a00e6b5e26095c79dee978a8d57ef7d, for GNU/Linux 3.7.0, stripped The same is true for Sid version python3.11-minimal (3.11.2-4). The hardening- check is reporting the same. On the contrary, python3.10-minimal (3.10.9-1) is correctly a PIE $ file /usr/bin/python3.10 /usr/bin/python3.10: ELF 64-bit LSB pie executable, ARM aarch64, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux-aarch64.so.1, BuildID[sha1]=7d2767e751dbd5c9287dbe5cd8de9022faa9d042, for GNU/Linux 3.7.0, stripped -- System Information: Debian Release: bookworm/sid APT prefers jammy-updates APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.19.0-28-generic (SMP w/4 CPU threads; PREEMPT) Kernel taint flags: TAINT_CPU_OUT_OF_SPEC, TAINT_USER Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) Versions of packages python3.11-minimal depends on: ii libc6 2.35-0ubuntu3.1 ii libexpat1 2.4.7-1ubuntu0.2 pn libpython3.11-minimal <none> ii zlib1g 1:1.2.11.dfsg-2ubuntu9.2 Versions of packages python3.11-minimal recommends: pn python3.11 <none> Versions of packages python3.11-minimal suggests: ii binfmt-support 2.2.1-2
