FFe: Enable PIE for python 3.10 in jammy
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| python3.10 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
As per LP: #1452115 enabling the python interpreter to be compiled as a position independent executable (PIE) has been a long standing request for Ubuntu. Various testing[1] has shown this to have a minimal performance impact for amd64. However, due to ongoing concerns around possible performance impacts on other architectures or other workloads, it is desirable to allow users to still use a non-PIE enabled python interpreter if they wish.
As such, the python3.10 source package will generate both the existing python3.10 binary package, which will have the python3 binary compiled with PIE, as well as an additional python3.10-nopie binary package, which will *not* enable PIE. This will allow users who wish to not use PIE to install the python3.10-nopie binary package instead.
As outlined in LP: #1452115, the primary motivation to introduce PIE as default for python is that this allows the dynamic loader to perform address space layout randomisation for the python executable. In turn this provides some hardening against memory corruption attacks which may target the python interpreter, making it harder to exploit any future such vulnerabilities on Ubuntu.
| Steve Langasek (vorlon) wrote | #1 |
| Changed in python3.10 (Ubuntu): | |
| status: | New → Fix Released |
I approve this FFe. The risk is largely limited to performance regressions, and work has been done to verify that performance has not significantly regressed; this is a significant security improvement; other distros are already shipping this; and regressions are mitigated by the presence of a -nopie package that users can install if they run into problems. We should get this done for the next LTS.
Moving status straight to 'fix released' as this is already in the archive.