Re: Rebuilding packages to increase Stretch's PIE coverage

To: Julien Cristau <jcristau@debian.org>
Cc: Debian Release Team <debian-release@lists.debian.org>, Holger Levsen <holger@layer-acht.org>
Subject: Re: Rebuilding packages to increase Stretch's PIE coverage
From: Bálint Réczey <balint@balintreczey.hu>
Date: Wed, 8 Mar 2017 21:30:30 +0100
Message-id: <[🔎] CAK0Odpw1CcSxqiB1YcL6GbpK4-EJabfO7T5OjM0qTCWuHb_kkA@mail.gmail.com>
Reply-to: balint@balintreczey.hu
In-reply-to: <CAK0Odpw0d6QfoniNUsvL+pdrBwRSVB6cJ2Rye139egzR+_qptQ@mail.gmail.com>
References: <7507c8e4-870f-d67b-9284-fa4a5908e4b0@balintreczey.hu> <20170219114509.xay5afqw473vpdxm@betterave.cristau.org> <20170219114602.zu2u6gdewh6mn7re@betterave.cristau.org> <CAK0Odpw0d6QfoniNUsvL+pdrBwRSVB6cJ2Rye139egzR+_qptQ@mail.gmail.com>

Hi All.

2017-02-21 12:44 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi All,
>
> 2017-02-19 12:46 GMT+01:00 Julien Cristau <jcristau@debian.org>:
>> On Sun, Feb 19, 2017 at 12:45:09 +0100, Julien Cristau wrote:
>>
>>> On Wed, Feb 15, 2017 at 16:49:08 +0100, Bálint Réczey wrote:
>>>
>>> > Dear Release Team,
>>> >
>>> > GCC uses PIE by default in unstable and testing but most packages
>>> > which haven't been rebuilt since the transition still ship unprotected
>>> > binaries [1].
>>> >
>>> > If the Team agrees I suggest rebuilding the packages which would
>>> > benefit from a rebuild. In case this gets a green light I would
>>> > volunteer to perform a test rebuild for each package to see if the
>>> > lintian warning goes away.
>>> >
>>> I don't think rebuilding the world on all release architectures in the
>>> middle of the freeze is a good idea.  It's adding churn and risk and
>>> work which IMO outweigh the supposed benefits.
>>>
>> That said a test rebuild (outside the archive) on all/most architectures
>> wouldn't be a bad idea.
>
> I have finished the rebuild on amd64.
> 3404 packages built successfully [1]
> 81   still had lintian warning about no-pie binary[2]
> 3324 would rebuild and the result would countain only PIE binaries per
> Lintan [3]
>
> IMHO if a the rebuild of a package breaks it or other packages then
> this would be an RC bug in the package thus I believe this risk is not
> a very good reason for not performing the binNMUs.
>
> I am very happy about the progress of the release and I don't want to
> risk delaying Stretch, but I think
> we are at the beginning of the freeze period, rather than in the middle. :-)
>
> I also think that it would be reasonable to plan mass rebuilds at the
> beginning of each deep freeze period when the release benefits from it
> greatly. The call would be done by the Release Team, but announcing
> the possibility of such mass rebuilds would let others be prepared for
> it.

Do you have any comment? Or is it the end of story for those ~3k
packages ready for PIE but without PIE in Stretch?

Cheers,
Balint

>
> Cheers,
> Balint
>
> [1] https://people.debian.org/~rbalint/pie-mass-rebuild/built-changes.txt
> [2] https://people.debian.org/~rbalint/pie-mass-rebuild/sources-still-lintian-hardening-no-pie.txt
> [3] https://people.debian.org/~rbalint/pie-mass-rebuild/sources-rebuild-works.txt

Reply to:

Follow-Ups:
- Re: Rebuilding packages to increase Stretch's PIE coverage
  - From: Bálint Réczey <balint@balintreczey.hu>

Prev by Date: Processed: navit loses OpenSSL support when rebuilt on a recent stretch/sid
Next by Date: Re: Rebuilding packages to increase Stretch's PIE coverage
Previous by thread: Processed: navit loses OpenSSL support when rebuilt on a recent stretch/sid
Next by thread: Re: Rebuilding packages to increase Stretch's PIE coverage
Index(es):
- Date
- Thread