On Tue, 13 Dec 2005, Mark Loeser wrote: > Basically what I'm looking for here is an easy to understand explanation of > what textrels are, why they are bad, and why they should hold back marking a > package stable. The only information I've been able to find states that they > could cause a performance hit, but this doesn't seem to warrant banning them > completely in my eyes.
Given my limited knowledge on this, this is my understanding. TEXTRELS are basically text relocations. What this is, is relocation within the text segment of the process image. This brings up the question of what a relocation is. A relocation is simply the replacement of some text with a memory location. The big issue with this is that the text segment is usually suppose to be read only for security reasons. But because the text segment needs a relocation, it needs to be read-write since the relocation happens at runtime dynamically. The constant need to look up the address is what causes the performance degredation. The performance degredation however is of no worry to us. The issue is that since the text segment is now read-write, the image of the process is no longer guaranteed to remain the same as it can be overwritten (allowing code modifications at runtime which can happen other ways as well). Because of this, the application is far more vurnerable to arbitrary code execution as if an exploit manages to overwrite the text segment properly, it can execute code that it wants. I am not sure how correct this explanation is or it is even what you were looking for. > Getting a clear cut policy on exactly what issues should hold a package back > from being marked stable is what I'm looking for. Issues like textrels, > executable stacks, etc is what I'm looking for to be defined and explained > why > we are to always avoid them. This should be added to existing documentation > policy so it is somewhere for new devs to know about, and existing devs to > have for a reference. I agree, this would be very nice to have. It would make stabilization of packages a little bit easier. Thanks. Saleem Abdulrasool compnerd (at) gentoo (dot) org
pgp64bkVZkTlP.pgp
Description: PGP signature
