[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Rebuilding packages to increase Stretch's PIE coverage



Hi All.

2017-02-21 12:44 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi All,
>
> 2017-02-19 12:46 GMT+01:00 Julien Cristau <jcristau@debian.org>:
>> On Sun, Feb 19, 2017 at 12:45:09 +0100, Julien Cristau wrote:
>>
>>> On Wed, Feb 15, 2017 at 16:49:08 +0100, Bálint Réczey wrote:
>>>
>>> > Dear Release Team,
>>> >
>>> > GCC uses PIE by default in unstable and testing but most packages
>>> > which haven't been rebuilt since the transition still ship unprotected
>>> > binaries [1].
>>> >
>>> > If the Team agrees I suggest rebuilding the packages which would
>>> > benefit from a rebuild. In case this gets a green light I would
>>> > volunteer to perform a test rebuild for each package to see if the
>>> > lintian warning goes away.
>>> >
>>> I don't think rebuilding the world on all release architectures in the
>>> middle of the freeze is a good idea.  It's adding churn and risk and
>>> work which IMO outweigh the supposed benefits.
>>>
>> That said a test rebuild (outside the archive) on all/most architectures
>> wouldn't be a bad idea.
>
> I have finished the rebuild on amd64.
> 3404 packages built successfully [1]
> 81   still had lintian warning about no-pie binary[2]
> 3324 would rebuild and the result would countain only PIE binaries per
> Lintan [3]
>
> IMHO if a the rebuild of a package breaks it or other packages then
> this would be an RC bug in the package thus I believe this risk is not
> a very good reason for not performing the binNMUs.
>
> I am very happy about the progress of the release and I don't want to
> risk delaying Stretch, but I think
> we are at the beginning of the freeze period, rather than in the middle. :-)
>
> I also think that it would be reasonable to plan mass rebuilds at the
> beginning of each deep freeze period when the release benefits from it
> greatly. The call would be done by the Release Team, but announcing
> the possibility of such mass rebuilds would let others be prepared for
> it.

Do you have any comment? Or is it the end of story for those ~3k
packages ready for PIE but without PIE in Stretch?

Cheers,
Balint

>
> Cheers,
> Balint
>
> [1] https://people.debian.org/~rbalint/pie-mass-rebuild/built-changes.txt
> [2] https://people.debian.org/~rbalint/pie-mass-rebuild/sources-still-lintian-hardening-no-pie.txt
> [3] https://people.debian.org/~rbalint/pie-mass-rebuild/sources-rebuild-works.txt


Reply to: