Re: Rebuilding packages to increase Stretch's PIE coverage
Bálint Réczey:
> Dear Release Team,
>
> GCC uses PIE by default in unstable and testing but most packages
> which haven't been rebuilt since the transition still ship unprotected
> binaries [1].
>
> If the Team agrees I suggest rebuilding the packages which would
> benefit from a rebuild. In case this gets a green light I would
> volunteer to perform a test rebuild for each package to see if the
> lintian warning goes away.
>
> Ideally #848129 would be fixed before the rebuild but it seems unlikely
> that it would move forward without Release Team weighing in. I support
> Adrian's suggestion about removing all PIE support from dpkg.
>
> Cheers,
> Balint
>
> [1] https://lintian.debian.org/tags/hardening-no-pie.html
>
> PS: Thanks to Hanno Böck for asking about the current situation and
> triggering this email. :-)
>
Hi Bálint,
Thanks for the offer.
Personally, I am inclined to accept as it means that we migrate to PIE
for these binaries now rather than post-release (e.g. as a part of a
security update or stable update).
* Do you have a number of affected source packages handy?
* Do you have a plan for finding packages in testing that has not
been rebuilt? (lintian.d.o does not include testing)
Thanks,
~Niels
Reply to: