Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Hi!
On Sun, 2016-05-15 at 21:45:55 +0200, Bálint Réczey wrote:
> 2016-05-15 20:49 GMT+02:00 Niels Thykier <niels@thykier.net>:
> > Bálint Réczey:
> >> I think making PIE and bindnow default in dpkg (at least for amd64) would be
> >> perfect release goals for Stretch.
> >
> > I support the end goal, but I suspect we should enable PIE by default
> > via GCC-6's new configure switch[1]. Assuming it does what I hope, then
> > it will work better than enabling PIE via dpkg-buildflags.
> >
> > * The major issue with PIE by default is that it is not compatible
> > with -fPIC (and presumably also -static), which causes FTBFS or
> > broken ELF binaries.
> >
> > * Assuming the GCC option does what I hope, then it would automatically
> > disable PIE for irrelevant outputs.
> >
> > My assumption seems to be aligned with the approach taking by Ubuntu.
Right, I've been pondering about the same. And I also have to agree
enabling PIE globally via dpkg-buildflags is not the right approach,
and I'm not planning to enable that in dpkg for any normal arch.
Because it would require hunting down all broken packages, and making
them opt-out from using PIE, or making them opt-out from PIE in some
parts of their build-system. It would also require a flag-day.
For bindnow, the usual process from the dpkg FAQ would still apply.
> I agree that it would be the easier way and I also tried building packages with
> patched GCC 5 setting PIE as default with success, but we have a CTTE
> decision which says that we should set hardening flags through dpkg:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688
Meh, I'm not going to bother reading that bug report, but if that's
what the decision really says, then that decision is just bogus…
Thanks,
Guillem
Reply to: