Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

To: Niels Thykier <niels@thykier.net>,balint@balintreczey.hu,"debian-devel@lists.debian.org" <debian-devel@lists.debian.org>
Cc: debian-policy@lists.debian.org
Subject: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
From: Bastien Roucaries <roucaries.bastien@gmail.com>
Date: Tue, 17 May 2016 06:43:15 +0000
Message-id: <[🔎] 5D7371F9-4471-4C03-8187-C2FE43B4380F@gmail.com>
In-reply-to: <[🔎] 5738C4C2.6020907@thykier.net>
References: <[🔎] CAK0Odpw3LjhZdAqOBvo91Vv5O4DzpzR23_zHxLYdux5OvNGRXw@mail.gmail.com> <[🔎] 5738C4C2.6020907@thykier.net>


Le 15 mai 2016 20:49:38 GMT+02:00, Niels Thykier <niels@thykier.net> a écrit :
>Bálint Réczey:
>> Hi,
>> 
>> [...]
>> 
>
>Hi,
>
>> I think making PIE and bindnow default in dpkg (at least for amd64)
>would be
>> perfect release goals for Stretch.
>> 
>
>I support the end goal, but I suspect we should enable PIE by default
>via GCC-6's new configure switch[1].  Assuming it does what I hope,
>then
>it will work better than enabling PIE via dpkg-buildflags.
>
> * The major issue with PIE by default is that it is not compatible
>   with -fPIC (and presumably also -static), which causes FTBFS or
>   broken ELF binaries.


It will also break some package like ImageMagick... Documentation how to fix  (without reverting default) is not usuable by upstream.

So please improve documentation first.

Bastien
>
>* Assuming the GCC option does what I hope, then it would automatically
>   disable PIE for irrelevant outputs.
>
>My assumption seems to be aligned with the approach taking by Ubuntu.
>
>> This would make Debian on par with Fedora and Ubuntu in that regard.
>> 
>
>FTR, Fedora seems to have some special logic for adding PIE only to
>executables.
>
>> We briefly discussed that with Guillem in a related bug report:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812783#42
>> 
>> I think the next step could be an archive rebuild with the changed
>defaults
>> if we would like to pursue this:
>>
>https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F
>> 
>> I planned starting a discussion on debian-devel about PIE + bindnow,
>> too, after checking
>> all the packages which contain statically compiled binaries because
>> they may need patching
>> to disable PIE flags based on Lunar's post:
>> https://people.debian.org/~lunar/blog/posts/aslr_now/
>> 
>> Cheers,
>> Balint
>> 
>>>[...]
>
>In summary:
>
> * I would welcome bindnow by default via dpkg-buildflags.
>
> * I would also love to have PIE as default for Stretch although I fear
>   dpkg-buildflags is the wrong approach for that particular flag.
>
>Thanks,
>~Niels
>
>[1] https://gcc.gnu.org/gcc-6/changes.html
>
>"""The --enable-default-pie configure option enables generation of PIE
>by default."""

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

Reply to:

References:
- PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Bug#824495: debian-policy: Source packages "can" declare relationships
Next by Date: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Previous by thread: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Next by thread: Bug#824495: debian-policy: Source packages "can" declare relationships
Index(es):
- Date
- Thread