Enabling PIE by default for Stretch

To: debian-release <debian-release@lists.debian.org>
Cc: Matthias Klose <doko@debian.org>, DSA <debian-admin@lists.debian.org>, Debian Security Team <team@security.debian.org>, Bálint Réczey <balint@balintreczey.hu>
Subject: Enabling PIE by default for Stretch
From: Niels Thykier <niels@thykier.net>
Date: Thu, 29 Sep 2016 19:39:00 +0000
Message-id: <[🔎] 521f46e9-0a3b-fce2-86f9-b4008aadb541@thykier.net>

Hi,

As brought up on the meeting last night, I think we should try to go for
PIE by default in Stretch on all release architectures!
* It is a substantial hardening feature
* Upstream has vastly reduced the performance penalty for x86
* The majority of all porters believe their release architecture is
ready for it.
* We have sufficient time to solve any issues or revert if it turns out
to be too problematic.

As agreed on during the [meeting], if there are no major concerns to
this proposal in general within a week, I shall file a bug against GCC
requesting PIE by default on all release architectures (with backing
porters).
If there are only major concerns with individual architectures, I will
simply exclude said architectures in the "PIE by default" request.

* Deadline for major concerns: Fri, 7th of October 2016.

Fall-out
========

There will be some possible fall-out from this change:

* There will be some FTBFS caused by some packages needing a rebuild
before reverse dependencies can enable PIE. These are a subset of
the bugs filed in the [pie+bindnow] build tests.

* Some packages may not be ready for PIE. These will have to disable
it per package. A notable case being ghc (#712228), where we can
reuse the patch from Ubuntu to work around the issue.

* A possible issue from Matthias was that no one has done a large scale
"PIE by default" on "arm* mips*".

* There was concern about whether the 32bit arm architectures would be
notably affected by the PIE slow down (like x86 used to be).
It is not measured, but two arm porters did mention a possible
slowdown

* It was questioned whether it made sense to invest time and effort in
enabling PIE for architectures which would not be included in Buster
(armel?). Personally, I do not see an issue, if the porters are
ready to put in the effort required.

Thanks,
~Niels

[meeting]:
http://meetbot.debian.net/debian-release/2016/debian-release.2016-09-28-19.00.html

[pie+bindnow]:
https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906&users=balint%40balintreczey.hu;dist=unstable

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Enabling PIE by default for Stretch
  - From: Florian Weimer <fw@deneb.enyo.de>
- Re: Enabling PIE by default for Stretch
  - From: Matthias Klose <doko@debian.org>

Prev by Date: Bug#827061: transition: openssl
Next by Date: Bug#837630: transition: xapian-core
Previous by thread: Bug#830200: marked as done (transition: perl)
Next by thread: Re: Enabling PIE by default for Stretch
Index(es):
- Date
- Thread