Re: Rebuilding packages to increase Stretch's PIE coverage

To: Niels Thykier <niels@thykier.net>
Cc: Debian Release Team <debian-release@lists.debian.org>, Holger Levsen <holger@layer-acht.org>
Subject: Re: Rebuilding packages to increase Stretch's PIE coverage
From: Bálint Réczey <balint@balintreczey.hu>
Date: Sat, 18 Feb 2017 01:59:58 +0100
Message-id: <[🔎] CAK0OdpzcnoSvNSwmObM5JVbhPpTcrv3_yWMWpqWZDzLxRfRt1w@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] CAK0Odpz5o=Rowmvn7SGtA2nOu3+gzt75KeOVFLjvqRBBA1X73w@mail.gmail.com>
References: <[🔎] 7507c8e4-870f-d67b-9284-fa4a5908e4b0@balintreczey.hu> <[🔎] a60fe46b-d57e-75fc-fb80-ea2c6ce8e69b@thykier.net> <[🔎] CAK0Odpz5o=Rowmvn7SGtA2nOu3+gzt75KeOVFLjvqRBBA1X73w@mail.gmail.com>

Hi,

2017-02-15 21:37 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> 2017-02-15 20:02 GMT+01:00 Niels Thykier <niels@thykier.net>:
>> Bálint Réczey:
>>> Dear Release Team,
>>>
>>> GCC uses PIE by default in unstable and testing but most packages
>>> which haven't been rebuilt since the transition still ship unprotected
>>> binaries [1].
>>>
>>> If the Team agrees I suggest rebuilding the packages which would
>>> benefit from a rebuild. In case this gets a green light I would
>>> volunteer to perform a test rebuild for each package to see if the
>>> lintian warning goes away.
>>>
>>> Ideally #848129 would be fixed before the rebuild but it seems unlikely
>>> that it would move forward without Release Team weighing in. I support
>>> Adrian's suggestion about removing all PIE support from dpkg.
>>>
>>> Cheers,
>>> Balint
>>>
>>> [1] https://lintian.debian.org/tags/hardening-no-pie.html
>>>
>>> PS: Thanks to Hanno Böck for asking about the current situation and
>>> triggering this email. :-)
>>>
>>
>> Hi Bálint,
>>
>> Thanks for the offer.
>>
>> Personally, I am inclined to accept as it means that we migrate to PIE
>> for these binaries now rather than post-release (e.g. as a part of a
>> security update or stable update).
>>
>>  * Do you have a number of affected source packages handy?
> A very quick estimate would be ~2000-2500 assuming each affected source generate
> ~2 affected binary packages:
> $ w3m -dump https://lintian.debian.org/tags/hardening-no-pie.html |
> grep binary | wc -l
> 4715

The actual number may be a bit higher:

select distinct source
from (select source, unnest(regexp_split_to_array(bin, ', ')) as bin_as_rows
        from sources where release = 'sid') as sources_unnested, lintian
where tag = 'hardening-no-pie' and package_arch = 'amd64' and
lintian.package = sources_unnested.bin_as_rows
order by source;
...
zp
zpaq
zpspell
zssh
zsync
zypper
zziplib
zzuf
(3659rows)

I have started rebuilding them.

Cheers,
Balint

>
>>
>>  * Do you have a plan for finding packages in testing that has not
>>    been rebuilt?  (lintian.d.o does not include testing)
>
> I think it is doable with some UDD magic which I have to figure out.
> Help is welcome here. :-)
>
> My plan was providing a list for the affected packages in unstable and
> asking for a
> rebuild of those.
> If they have different version in testing and they can't migrate then
> they are probably too hard to cover in one shot and should be checked
> individually.
>
> Cheers,
> Balint
>
>>
>> Thanks,
>> ~Niels
>>
>>

Reply to:

References:
- Rebuilding packages to increase Stretch's PIE coverage
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: Rebuilding packages to increase Stretch's PIE coverage
  - From: Niels Thykier <niels@thykier.net>
- Re: Rebuilding packages to increase Stretch's PIE coverage
  - From: Bálint Réczey <balint@balintreczey.hu>

Prev by Date: Bug#855432: unblock: openssl/1.1.0e-1
Next by Date: Bug#855432: unblock: openssl/1.1.0e-1
Previous by thread: Re: Rebuilding packages to increase Stretch's PIE coverage
Next by thread: Re: Rebuilding packages to increase Stretch's PIE coverage
Index(es):
- Date
- Thread