[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Rebuilding packages to increase Stretch's PIE coverage

Hi,

2017-03-08 21:30 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi All.
>
> 2017-02-21 12:44 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
>> Hi All,
>>
>> 2017-02-19 12:46 GMT+01:00 Julien Cristau <jcristau@debian.org>:
>>> On Sun, Feb 19, 2017 at 12:45:09 +0100, Julien Cristau wrote:
>>>
>>>> On Wed, Feb 15, 2017 at 16:49:08 +0100, Bálint Réczey wrote:
>>>>
>>>> > Dear Release Team,
>>>> >
>>>> > GCC uses PIE by default in unstable and testing but most packages
>>>> > which haven't been rebuilt since the transition still ship unprotected
>>>> > binaries [1].
>>>> >
>>>> > If the Team agrees I suggest rebuilding the packages which would
>>>> > benefit from a rebuild. In case this gets a green light I would
>>>> > volunteer to perform a test rebuild for each package to see if the
>>>> > lintian warning goes away.
>>>> >
>>>> I don't think rebuilding the world on all release architectures in the
>>>> middle of the freeze is a good idea.  It's adding churn and risk and
>>>> work which IMO outweigh the supposed benefits.
>>>>
>>> That said a test rebuild (outside the archive) on all/most architectures
>>> wouldn't be a bad idea.
>>
>> I have finished the rebuild on amd64.
>> 3404 packages built successfully [1]
>> 81   still had lintian warning about no-pie binary[2]
>> 3324 would rebuild and the result would countain only PIE binaries per
>> Lintan [3]
>>
>> IMHO if a the rebuild of a package breaks it or other packages then
>> this would be an RC bug in the package thus I believe this risk is not
>> a very good reason for not performing the binNMUs.
>>
>> I am very happy about the progress of the release and I don't want to
>> risk delaying Stretch, but I think
>> we are at the beginning of the freeze period, rather than in the middle. :-)
>>
>> I also think that it would be reasonable to plan mass rebuilds at the
>> beginning of each deep freeze period when the release benefits from it
>> greatly. The call would be done by the Release Team, but announcing
>> the possibility of such mass rebuilds would let others be prepared for
>> it.
>
> Do you have any comment? Or is it the end of story for those ~3k
> packages ready for PIE but without PIE in Stretch?

I'm sorry, I have not checked the PIE progress, just the emails.
I see PIE rebuilds for packages listed without PIE coverage.

The lintian tag graph also shows the progress, thanks!
https://lintian.debian.org/tags/hardening-no-pie.html

Cheers,
Balint

>
> Cheers,
> Balint
>
>>
>> Cheers,
>> Balint
>>
>> [1] https://people.debian.org/~rbalint/pie-mass-rebuild/built-changes.txt
>> [2] https://people.debian.org/~rbalint/pie-mass-rebuild/sources-still-lintian-hardening-no-pie.txt
>> [3] https://people.debian.org/~rbalint/pie-mass-rebuild/sources-rebuild-works.txt
Reply to: