Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

To: Niels Thykier <niels@thykier.net>
Cc: balint@balintreczey.hu, "debian-devel@lists.debian.org" <debian-devel@lists.debian.org>, debian-policy@lists.debian.org
Subject: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
From: Dimitri John Ledkov <xnox@debian.org>
Date: Sun, 15 May 2016 20:46:44 +0100
Message-id: <[🔎] CANBHLUinRPB2mATOPp=a=BZFstUroCp0ftsFE9POsyfpKYELtQ@mail.gmail.com>
In-reply-to: <[🔎] 5738C4C2.6020907@thykier.net>
References: <[🔎] CAK0Odpw3LjhZdAqOBvo91Vv5O4DzpzR23_zHxLYdux5OvNGRXw@mail.gmail.com> <[🔎] 5738C4C2.6020907@thykier.net>

On 15 May 2016 at 19:49, Niels Thykier <niels@thykier.net> wrote:
> Bálint Réczey:
>> Hi,
>>
>> [...]
>>
>
> Hi,
>
>> I think making PIE and bindnow default in dpkg (at least for amd64) would be
>> perfect release goals for Stretch.
>>
>
> I support the end goal, but I suspect we should enable PIE by default
> via GCC-6's new configure switch[1].  Assuming it does what I hope, then
> it will work better than enabling PIE via dpkg-buildflags.
>

The configure switch is available in the debian gcc-5 toolchain as a
cherrypick, which is not used.
In the ubuntu build of the toolchain that switch is passed on
previously mentioned releases / architectures.

FYI, that switch is not perfect and -no-pie has to be used in a few
places still.


>  * The major issue with PIE by default is that it is not compatible
>    with -fPIC (and presumably also -static), which causes FTBFS or
>    broken ELF binaries.
>
>  * Assuming the GCC option does what I hope, then it would automatically
>    disable PIE for irrelevant outputs.
>
> My assumption seems to be aligned with the approach taking by Ubuntu.
>
>> This would make Debian on par with Fedora and Ubuntu in that regard.
>>
>
> FTR, Fedora seems to have some special logic for adding PIE only to
> executables.
>
>> We briefly discussed that with Guillem in a related bug report:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812783#42
>>
>> I think the next step could be an archive rebuild with the changed defaults
>> if we would like to pursue this:
>> https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F
>>
>> I planned starting a discussion on debian-devel about PIE + bindnow,
>> too, after checking
>> all the packages which contain statically compiled binaries because
>> they may need patching
>> to disable PIE flags based on Lunar's post:
>> https://people.debian.org/~lunar/blog/posts/aslr_now/
>>
>> Cheers,
>> Balint
>>
>>>[...]
>
> In summary:
>
>  * I would welcome bindnow by default via dpkg-buildflags.
>
>  * I would also love to have PIE as default for Stretch although I fear
>    dpkg-buildflags is the wrong approach for that particular flag.
>
> Thanks,
> ~Niels
>
> [1] https://gcc.gnu.org/gcc-6/changes.html
>
> """The --enable-default-pie configure option enables generation of PIE
> by default."""
>
>

-- 
Regards,

Dimitri.

Reply to:

References:
- PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Next by Date: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Previous by thread: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Next by thread: Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
Index(es):
- Date
- Thread