From ad1f7f467765e780ac46101f07961fa02779bcbf Mon Sep 17 00:00:00 2001
From: Gerald Combs <gerald@wireshark.org>
Date: Fri, 30 Oct 2015 11:18:45 -0700
Subject: Explain why Get-HardenFlags currently fails.

Change-Id: I4a956b2479a482a9262e6e67f6c7611fad9dde84
Reviewed-on: https://code.wireshark.org/review/11448
Reviewed-by: Gerald Combs <gerald@wireshark.org>
---
 tools/Get-HardenFlags.ps1 | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'tools/Get-HardenFlags.ps1')

diff --git a/tools/Get-HardenFlags.ps1 b/tools/Get-HardenFlags.ps1
index 3e2ea3f3b4..fcb3edf73a 100644
--- a/tools/Get-HardenFlags.ps1
+++ b/tools/Get-HardenFlags.ps1
@@ -28,6 +28,21 @@
 #   on all the binaries in the distribution, and then filters
 #   for the NXCOMPAT and DYNAMICBASE flags.
 
+# This script will probably fail for the forseeable future.
+#
+# Many of our third-party libraries are compiled using MinGW-w64. Its version
+# of `ld` doesn't enable the dynamicbase, nxcompat, or high-entropy-va flags
+# by default. When you *do* pass --dynamicbase it strips the relocation
+# section of the executable:
+#
+#   https://sourceware.org/bugzilla/show_bug.cgi?id=19011
+#
+# As a result, none of the distributions that produce Windows applications
+# and libraries have any sort of hardening flags enabled:
+#
+#   http://mingw-w64.org/doku.php/download
+#
+
 <#
 .SYNOPSIS
 Checks the NXCOMPAT and DYNAMICBASE flags on all the binaries.
-- 
cgit v1.2.1