On 2016-05-15 21:45:55, Bálint Réczey wrote:
Hi Niels,
2016-05-15 20:49 GMT+02:00 Niels Thykier <niels@thykier.net>:
Bálint Réczey:
Hi,
[...]
Hi,
I think making PIE and bindnow default in dpkg (at least for amd64) would be
perfect release goals for Stretch.
I support the end goal, but I suspect we should enable PIE by default
via GCC-6's new configure switch[1]. Assuming it does what I hope, then
it will work better than enabling PIE via dpkg-buildflags.
* The major issue with PIE by default is that it is not compatible
with -fPIC (and presumably also -static), which causes FTBFS or
broken ELF binaries.
* Assuming the GCC option does what I hope, then it would automatically
disable PIE for irrelevant outputs.
My assumption seems to be aligned with the approach taking by Ubuntu.
I agree that it would be the easier way and I also tried building packages with
patched GCC 5 setting PIE as default with success, but we have a CTTE
decision which says that we should set hardening flags through dpkg:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688
I'm not familiar with the history of that bug (272 updates!), so excuse
my question, but:
- that bug seems to have been opened in the context of custom patches to
GCC, back in 2009-2012
- the CTTE seems to have made an informal decision (see last update
#272) on that topic
Would it make sense to re-evaluate that decision in the context of 2016,
i.e. (if I understand correctly) no patching of GCC 6 needed? Just a
quick ask to the CTTE asking if the decision is still valid given
today's situation.