Re: Enabling PIE by default for Stretch
Hi Maximiliano,
2016-10-10 14:21 GMT+02:00 Maximiliano Curia <maxy@debian.org>:
> ¡Hola Niels!
>
> El 2016-10-10 a las 05:44 +0000, Niels Thykier escribió:
>>
>> Niels Thykier:
>>>
>>> As brought up on the meeting last night, I think we should try to go for
>>> PIE by default in Stretch on all release architectures! * It is a
>>> substantial hardening feature * Upstream has vastly reduced the performance
>>> penalty for x86 * The majority of all porters believe their release
>>> architecture is ready for it. * We have sufficient time to solve any
>>> issues or revert if it turns out to be too problematic.
>
>
>>> [...]
>
>
>>> * Deadline for major concerns: Fri, 7th of October 2016.
>
>
>> It appears that there were no major concerns. I will follow up #835148
>> and request PIE by default for the following architectures.
>
>
>> * amd64 * arm64 * armel * armhf * i386 * mips * mips64el * mipsel *
>> ppc64el * s390x
>
>
> Such a change will produce unneeded FTBFS's in libraries using -fPIC (such
> as qt5 and all it's dependencies).
>
> Afaik, -fPIC is stronger than -fPIE, at the same time, -fPIE is incompatible
> with -fPIC and -fPIE makes little sense in shared libraries.
>
> And while a single patch should be trivial, I fear they would be many
> specific ones.
Have you seen the results of the test-rebuild performed with the
changed defaults?
I have put together a page with related links and information where
you can find the rebuild results, too:
https://wiki.debian.org/Hardening/PIEByDefaultTransition
Cheers,
Balint
Reply to: