Bug#835148: gcc-6: please enable PIE hardening flags by default on amd64 ppc64el and s390x
Package: gcc-6
Version: 6.1.1-12
Severity: wishlist
Tags: patch
Dear Matthias,
As a continuation of the discussions [1][2] on debian-devel I'm
attaching the simple patch that implements enabling the PIE
hardening flags for a subset of the architectures.
I'm open to changing the subset, it matches the set selected in Ubuntu
as a start, but porters may have different preferences [2].
I'm continuing with a full archive rebuild to see the amount of packages
to be updated for the change in the default flags.
The same patch applies to gcc-5, too, if it does not get removed
from the archive before the patch is accepted for gcc-6.
Cheers,
Balint
[1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
[2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>From 096fba7df4a9d699015c5f5457be7fdd21cde33e Mon Sep 17 00:00:00 2001
From: Balint Reczey <balint@balintreczey.hu>
Date: Sun, 3 Jul 2016 21:09:36 +0200
Subject: [PATCH] Enable PIE on Debian for amd64, ppc64el and s390x
---
debian/rules.defs | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/debian/rules.defs b/debian/rules.defs
index 47a067d..443eba4 100644
--- a/debian/rules.defs
+++ b/debian/rules.defs
@@ -1222,16 +1222,19 @@ endif
# pie by default --------------------
with_pie :=
+pie_archs := amd64 ppc64el s390x
ifeq ($(distribution),Ubuntu)
ifeq (,$(filter $(distrelease),lucid precise trusty utopic vivid wily))
pie_archs = s390x
+ else
+ pie_archs =
endif
ifeq (,$(filter $(distrelease),lucid precise trusty utopic vivid wily xenial))
pie_archs += amd64 ppc64el
endif
- ifneq (,$(filter $(DEB_TARGET_ARCH),$(pie_archs)))
- with_pie := yes
- endif
+endif
+ifneq (,$(filter $(DEB_TARGET_ARCH),$(pie_archs)))
+ with_pie := yes
endif
# gold --------------------
--
2.1.4
Reply to: