[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

On Sat, 2016-12-17 at 09:20:40 +0100, Bálint Réczey wrote:
> 2016-12-17 3:14 GMT+01:00 Guillem Jover <guillem@debian.org>:
> > On Wed, 2016-12-14 at 14:05:44 +0100, Bálint Réczey wrote:
> >> 2016-12-13 9:29 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> >> > 2016-11-27 23:11 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> >> >> Lucas already performed the archive-wide rebuild with bindnow
> >> >> enabled by dpkg and we have not observed breakages specific to
> >> >> bindnow. IMO this is mostly due to packages already disabling
> >> >> bindnow through dpkg-buildflags.
> >
> > But you didn't do the requested archive-wide autopkgtest run (because
> > "it was hard"), and even though the coverage is not great it would
> > be better than nothing. Requested in this case because bindnow changes
> > the *run-time* behavior, which is not visible or noticable in normal
> > circumstances by just *building* packages.
> 
> I'm surprised you raise the autopkgtest run question.

I mentioned it explicitly on a private mail Lucas sent to me, Niels and
Kurt, which prompted me to update the dpkg FAQ, and then again a week
after in <https://lists.debian.org/debian-devel/2016/08/msg00384.html>.

In addition on that private conversation I also mentioned this:

  And this still leaves many packages that might fail at run-time (not
  to mention the startup slow down), so this option seems potentially
  dangerous to enable globally. OTOH at least both Gentoo and Fedora
  seem to have done so:

    <https://wiki.gentoo.org/wiki/Hardened/Toolchain>
    <https://fedoraproject.org/wiki/Changes/Harden_All_Packages>

  And some known issues:

    <http://www.zsh.org/mla/workers/2015/msg02981.html>
    <https://bugzilla.redhat.com/show_bug.cgi?id=1199775>
    The Gentoo wiki also mentions that X is not happy about this, but
    I'm not sure how current that is.

Which then updated <https://wiki.debian.org/Hardening> with some of
those relevant links, but maybe that was too subtle.

> I asked for clarification then because the on 13 Aug you added the
> following line to dpkg FAQ which does not seem to be a strong
> requirement:
> * For flags that change run-time semantics, ideally an additional run
> of the autopkgtest for packages that ship them (although this cannot
> be deemed conclusive as our coverage is not great yet).
> ( https://wiki.debian.org/Teams/Dpkg/FAQ?action=diff&rev1=28&rev2=29 )

It certainly is not going to be conclusive as a way to verify it correct,
as even with no failures would not mean there's no potential problems;
this would merely apply the principle of "falsificationism" to the
proposal. So it might be helpful as an additional data point to try to
gauge the possible fallout, but not as a way to say "everything ok, no
problems found". Which I guess does not play in your favor, I'll
update the FAQ to makes this more clear.

> I would like to kindly ask the Release Team to share its position on the
> bindnow question since Guillem don't seem to let this move forward
> without that.

BTW, in contrast to PIE, to be able to use bindnow globally on your
system you don't even have to recompile anything. You can simply add
LD_BIND_NOW=1 in your /etc/environment for example (man ld.so(8)).

Also according to the release schedule, it appears to me people still
have up to 10 days before 2017-02-05 to enable bindnow in their
packages?

And in any case, I've written down to propose enabling this at the
beginning of the dpkg 1.19.x release cycle (which will match the buster
release cycle) in <https://wiki.debian.org/Teams/Dpkg/RoadMap>.

Regards,
Guillem
Reply to: