Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)
On 2016-05-15 21:45:55, Bálint Réczey wrote:
> Hi Niels,
>
> 2016-05-15 20:49 GMT+02:00 Niels Thykier <niels@thykier.net>:
> > Bálint Réczey:
> >> Hi,
> >>
> >> [...]
> >>
> >
> > Hi,
> >
> >> I think making PIE and bindnow default in dpkg (at least for amd64) would be
> >> perfect release goals for Stretch.
> >>
> >
> > I support the end goal, but I suspect we should enable PIE by default
> > via GCC-6's new configure switch[1]. Assuming it does what I hope, then
> > it will work better than enabling PIE via dpkg-buildflags.
> >
> > * The major issue with PIE by default is that it is not compatible
> > with -fPIC (and presumably also -static), which causes FTBFS or
> > broken ELF binaries.
> >
> > * Assuming the GCC option does what I hope, then it would automatically
> > disable PIE for irrelevant outputs.
> >
> > My assumption seems to be aligned with the approach taking by Ubuntu.
>
> I agree that it would be the easier way and I also tried building packages with
> patched GCC 5 setting PIE as default with success, but we have a CTTE
> decision which says that we should set hardening flags through dpkg:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688
I'm not familiar with the history of that bug (272 updates!), so excuse
my question, but:
- that bug seems to have been opened in the context of custom patches to
GCC, back in 2009-2012
- the CTTE seems to have made an informal decision (see last update
#272) on that topic
Would it make sense to re-evaluate that decision in the context of 2016,
i.e. (if I understand correctly) no patching of GCC 6 needed? Just a
quick ask to the CTTE asking if the decision is still valid given
today's situation.
regards,
iustin
Reply to: