Re: Rebuilding packages to increase Stretch's PIE coverage

To: Julien Cristau <jcristau@debian.org>
Cc: Debian Release Team <debian-release@lists.debian.org>, Holger Levsen <holger@layer-acht.org>
Subject: Re: Rebuilding packages to increase Stretch's PIE coverage
From: Bálint Réczey <balint@balintreczey.hu>
Date: Tue, 21 Feb 2017 12:44:53 +0100
Message-id: <[🔎] CAK0Odpw0d6QfoniNUsvL+pdrBwRSVB6cJ2Rye139egzR+_qptQ@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <[🔎] 20170219114602.zu2u6gdewh6mn7re@betterave.cristau.org>
References: <[🔎] 7507c8e4-870f-d67b-9284-fa4a5908e4b0@balintreczey.hu> <[🔎] 20170219114509.xay5afqw473vpdxm@betterave.cristau.org> <[🔎] 20170219114602.zu2u6gdewh6mn7re@betterave.cristau.org>

Hi All,

2017-02-19 12:46 GMT+01:00 Julien Cristau <jcristau@debian.org>:
> On Sun, Feb 19, 2017 at 12:45:09 +0100, Julien Cristau wrote:
>
>> On Wed, Feb 15, 2017 at 16:49:08 +0100, Bálint Réczey wrote:
>>
>> > Dear Release Team,
>> >
>> > GCC uses PIE by default in unstable and testing but most packages
>> > which haven't been rebuilt since the transition still ship unprotected
>> > binaries [1].
>> >
>> > If the Team agrees I suggest rebuilding the packages which would
>> > benefit from a rebuild. In case this gets a green light I would
>> > volunteer to perform a test rebuild for each package to see if the
>> > lintian warning goes away.
>> >
>> I don't think rebuilding the world on all release architectures in the
>> middle of the freeze is a good idea.  It's adding churn and risk and
>> work which IMO outweigh the supposed benefits.
>>
> That said a test rebuild (outside the archive) on all/most architectures
> wouldn't be a bad idea.

I have finished the rebuild on amd64.
3404 packages built successfully [1]
81   still had lintian warning about no-pie binary[2]
3324 would rebuild and the result would countain only PIE binaries per
Lintan [3]

IMHO if a the rebuild of a package breaks it or other packages then
this would be an RC bug in the package thus I believe this risk is not
a very good reason for not performing the binNMUs.

I am very happy about the progress of the release and I don't want to
risk delaying Stretch, but I think
we are at the beginning of the freeze period, rather than in the middle. :-)

I also think that it would be reasonable to plan mass rebuilds at the
beginning of each deep freeze period when the release benefits from it
greatly. The call would be done by the Release Team, but announcing
the possibility of such mass rebuilds would let others be prepared for
it.

Cheers,
Balint

[1] https://people.debian.org/~rbalint/pie-mass-rebuild/built-changes.txt
[2] https://people.debian.org/~rbalint/pie-mass-rebuild/sources-still-lintian-hardening-no-pie.txt
[3] https://people.debian.org/~rbalint/pie-mass-rebuild/sources-rebuild-works.txt

Reply to:

References:
- Rebuilding packages to increase Stretch's PIE coverage
  - From: Bálint Réczey <balint@balintreczey.hu>
- Re: Rebuilding packages to increase Stretch's PIE coverage
  - From: Julien Cristau <jcristau@debian.org>
- Re: Rebuilding packages to increase Stretch's PIE coverage
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Bug#855697: unblock: setools/4.0.1-6
Next by Date: Bug#855652: marked as done (unblock: soundmanager2/2.97a.20150601+dfsg2-1)
Previous by thread: Re: Rebuilding packages to increase Stretch's PIE coverage
Next by thread: Processed: petsc / openmpi
Index(es):
- Date
- Thread