Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

To: Julien Cristau <jcristau@debian.org>
Cc: debian developers <debian-devel@lists.debian.org>, Debian Release Team <debian-release@lists.debian.org>
Subject: Re: [RFC] Enabling bindnow by default in dpkg-buildflags?
From: Bálint Réczey <balint@balintreczey.hu>
Date: Sat, 17 Dec 2016 18:11:11 +0100
Message-id: <[🔎] CAK0OdpxrYxXqN=__Sbm96-DeNZSfJANf0CDjAvkU=qBPRR85QQ@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] 20161217091759.gqg7jeeu2xcymmk3@betterave.cristau.org>
References: <CAK0OdpxQgvCmoBP0J10PwzyRExbQ4VQcfZQmGq5RPmwXzyc2Uw@mail.gmail.com> <[🔎] CAK0OdpwG3Y41hBo7uz3MbdBPLf-WR8B-rkn5e_D3sFe1h-_bfw@mail.gmail.com> <[🔎] CAK0OdpzWL9UENrFc6Hbj67EN9tiaVzKCjmu=V=9R1fTw9dx4-w@mail.gmail.com> <[🔎] 20161217021452.zu2nigkomzt3z5rj@gaara.hadrons.org> <[🔎] 33518f27-0cd0-7571-cdfa-c475ad2d5560@balintreczey.hu> <[🔎] 20161217091759.gqg7jeeu2xcymmk3@betterave.cristau.org>

Hi,

2016-12-17 10:17 GMT+01:00 Julien Cristau <jcristau@debian.org>:
> On Sat, Dec 17, 2016 at 09:20:40 +0100, Bálint Réczey wrote:
>
>> >> >> Considering that we are already in the transition freeze I suggest
>> >> >> going with enabling bindnow for all architectures in dpkg and
>> >> >> for Stretch+1 the responsibility of setting some hardening flags
>> >> >> could be transferred to gcc.
>> >> >> IMO this is not a transition because the change does not affect
>> >> >> package interdependencies.
>> >> >
>> >> > Is there any update on this?
>> >
>> > I've not seen any reply from the release team, no. And as explicitly
>> > mentioned before multiple times now, this has the potential to impact
>> > the release by introducing subtle and possibly hard to spot errors at
>> > *run-time*, which might be triggered by simple a upload or a binNMU w/o
>> > the maintainer being in the loop and knowing they have enabled bindnow.
>> > So I want the release team to be involved in ACKing this potentially
>> > release breaking change.
>>
>> I would like to kindly ask the Release Team to share its position on the
>> bindnow question since Guillem don't seem to let this move forward
>> without that.
>>
> That is very much not happening for stretch.

This is a bit terse and a bit late but DD-s are still free to enable
bindnow per package in the next 7 days.

Affected packages:
https://lintian.debian.org/tags/hardening-no-bindnow.html

Thanks,
Balint

Reply to:

References:
- Re: [RFC] Enabling bindnow by default in dpkg-buildflags?
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: [RFC] Enabling bindnow by default in dpkg-buildflags?
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: [RFC] Enabling bindnow by default in dpkg-buildflags?
  - From: Guillem Jover <guillem@debian.org>
- Re: [RFC] Enabling bindnow by default in dpkg-buildflags?
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: [RFC] Enabling bindnow by default in dpkg-buildflags?
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Re: depending on libssl1.0-dev, buildd fails to find it
Next by Date: Bug#848501: ITP: jmork -- Mork database parser for Java
Previous by thread: Re: [RFC] Enabling bindnow by default in dpkg-buildflags?
Next by thread: Re: [RFC] Enabling bindnow by default in dpkg-buildflags?
Index(es):
- Date
- Thread