Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

[Sam Hartman <hartmans@debian.org>]

>>>>> "Guillem" == Guillem Jover <guillem@debian.org> writes:
    >> I agree that it would be the easier way and I also tried building
    >> packages with patched GCC 5 setting PIE as default with success,
    >> but we have a CTTE decision which says that we should set
    >> hardening flags through dpkg:
    >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688

    Guillem> Meh, I'm not going to bother reading that bug report, but
    Guillem> if that's what the decision really says, then that decision
    Guillem> is just bogus…

So, first, the TC didn't actually make a formal decision.  The gcc
maintainer didn't like changing the compiler defaults; dpkg-buildflags
had gotten enough traction that it seemed to be a sufficient solution,
so the bug was closed with a specific note that any interested party
could reopen.

However, I think there are several factors that are different in this
situation:

* A big concern was introducing new warnings in environments where
  -Werror was in use.  That is something we sadly have a fair bit of
  experience fixing (-Wuninitialized springs to mind) since the time of
  that bug, and that seems not to apply to PIE

* More concerns about cases where the behavior would be wrong than seem
  to apply here.

Regardless of where you make the change you'll break some packages.
That happens though; both gcc and dpkg-dev have gotten more strict abouv
various behaviors in ways that break packages within recent memory.

So, I think there's some good reading in the TC bug about the proes and
cons of various approaches, but not all of it applies, and there is a
bit of flame to wade through mixed in with some generally well-thought
discussion.
That bug definitely should not be considered binding in general, but
definitely not in this environment.

--Sam