Re: Rebuilding packages to increase Stretch's PIE coverage
2017-02-15 20:02 GMT+01:00 Niels Thykier <niels@thykier.net>:
> Bálint Réczey:
>> Dear Release Team,
>>
>> GCC uses PIE by default in unstable and testing but most packages
>> which haven't been rebuilt since the transition still ship unprotected
>> binaries [1].
>>
>> If the Team agrees I suggest rebuilding the packages which would
>> benefit from a rebuild. In case this gets a green light I would
>> volunteer to perform a test rebuild for each package to see if the
>> lintian warning goes away.
>>
>> Ideally #848129 would be fixed before the rebuild but it seems unlikely
>> that it would move forward without Release Team weighing in. I support
>> Adrian's suggestion about removing all PIE support from dpkg.
>>
>> Cheers,
>> Balint
>>
>> [1] https://lintian.debian.org/tags/hardening-no-pie.html
>>
>> PS: Thanks to Hanno Böck for asking about the current situation and
>> triggering this email. :-)
>>
>
> Hi Bálint,
>
> Thanks for the offer.
>
> Personally, I am inclined to accept as it means that we migrate to PIE
> for these binaries now rather than post-release (e.g. as a part of a
> security update or stable update).
>
> * Do you have a number of affected source packages handy?
A very quick estimate would be ~2000-2500 assuming each affected source generate
~2 affected binary packages:
$ w3m -dump https://lintian.debian.org/tags/hardening-no-pie.html |
grep binary | wc -l
4715
>
> * Do you have a plan for finding packages in testing that has not
> been rebuilt? (lintian.d.o does not include testing)
I think it is doable with some UDD magic which I have to figure out.
Help is welcome here. :-)
My plan was providing a list for the affected packages in unstable and
asking for a
rebuild of those.
If they have different version in testing and they can't migrate then
they are probably too hard to cover in one shot and should be checked
individually.
Cheers,
Balint
>
> Thanks,
> ~Niels
>
>
Reply to: