Explain why Get-HardenFlags currently fails.

Change-Id: I4a956b2479a482a9262e6e67f6c7611fad9dde84 Reviewed-on: https://code.wireshark.org/review/11448 Reviewed-by: Gerald Combs <gerald@wireshark.org>
author: Gerald Combs <gerald@wireshark.org> 2015-10-30 11:18:45 -0700
committer: Gerald Combs <gerald@wireshark.org> 2015-10-30 18:31:00 +0000
commit: ad1f7f467765e780ac46101f07961fa02779bcbf (patch)
tree: c96a83a8e2db3373230d15e1b6b050cb9c389e07 /tools
parent: b6497d44b53cf814b0b4c297b6402c62e9351d3e (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/tools/Get-HardenFlags.ps1 b/tools/Get-HardenFlags.ps1
index 3e2ea3f3b4..fcb3edf73a 100644
--- a/tools/Get-HardenFlags.ps1
+++ b/tools/Get-HardenFlags.ps1
@@ -28,6 +28,21 @@
 #   on all the binaries in the distribution, and then filters
 #   for the NXCOMPAT and DYNAMICBASE flags.
 
+# This script will probably fail for the forseeable future.
+#
+# Many of our third-party libraries are compiled using MinGW-w64. Its version
+# of `ld` doesn't enable the dynamicbase, nxcompat, or high-entropy-va flags
+# by default. When you *do* pass --dynamicbase it strips the relocation
+# section of the executable:
+#
+#   https://sourceware.org/bugzilla/show_bug.cgi?id=19011
+#
+# As a result, none of the distributions that produce Windows applications
+# and libraries have any sort of hardening flags enabled:
+#
+#   http://mingw-w64.org/doku.php/download
+#
+
 <#
 .SYNOPSIS
 Checks the NXCOMPAT and DYNAMICBASE flags on all the binaries.
author	Gerald Combs <gerald@wireshark.org>	2015-10-30 11:18:45 -0700
committer	Gerald Combs <gerald@wireshark.org>	2015-10-30 18:31:00 +0000
commit	ad1f7f467765e780ac46101f07961fa02779bcbf (patch)
tree	c96a83a8e2db3373230d15e1b6b050cb9c389e07 /tools
parent	b6497d44b53cf814b0b4c297b6402c62e9351d3e (diff)