[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Enabling PIE by default for Stretch



[CCing porters, please also leave feedback in #835148 for non-release architectures]

On 29.09.2016 21:39, Niels Thykier wrote:
> Hi,
> 
> As brought up on the meeting last night, I think we should try to go for
> PIE by default in Stretch on all release architectures!
>  * It is a substantial hardening feature
>  * Upstream has vastly reduced the performance penalty for x86
>  * The majority of all porters believe their release architecture is
>    ready for it.
>  * We have sufficient time to solve any issues or revert if it turns out
>    to be too problematic.
> 
> As agreed on during the [meeting], if there are no major concerns to
> this proposal in general within a week, I shall file a bug against GCC
> requesting PIE by default on all release architectures (with backing
> porters).

please re-use #835148

>   If there are only major concerns with individual architectures, I will
> simply exclude said architectures in the "PIE by default" request.
> 
>  * Deadline for major concerns:  Fri, 7th of October 2016.
> 
> Fall-out
> ========
> 
> There will be some possible fall-out from this change:
> 
>  * There will be some FTBFS caused by some packages needing a rebuild
>    before reverse dependencies can enable PIE.  These are a subset of
>    the bugs filed in the [pie+bindnow] build tests.
> 
>  * Some packages may not be ready for PIE.  These will have to disable
>    it per package.  A notable case being ghc (#712228), where we can
>    reuse the patch from Ubuntu to work around the issue.
> 
>  * A possible issue from Matthias was that no one has done a large scale
>    "PIE by default" on "arm* mips*".
> 
>  * There was concern about whether the 32bit arm architectures would be
>    notably affected by the PIE slow down (like x86 used to be).
>    It is not measured, but two arm porters did mention a possible
>    slowdown
> 
>  * It was questioned whether it made sense to invest time and effort in
>    enabling PIE for architectures which would not be included in Buster
>    (armel?). Personally, I do not see an issue, if the porters are
>    ready to put in the effort required.
> 
> Thanks,
> ~Niels
> 
> [meeting]:
> http://meetbot.debian.net/debian-release/2016/debian-release.2016-09-28-19.00.html
> 
> [pie+bindnow]:
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906&users=balint%40balintreczey.hu;dist=unstable
> 
> 
> 
> 


Reply to: