Re: Enabling PIE by default for Stretch
[CCing porters, please also leave feedback in #835148 for non-release architectures]
On 29.09.2016 21:39, Niels Thykier wrote:
> Hi,
>
> As brought up on the meeting last night, I think we should try to go for
> PIE by default in Stretch on all release architectures!
> * It is a substantial hardening feature
> * Upstream has vastly reduced the performance penalty for x86
> * The majority of all porters believe their release architecture is
> ready for it.
> * We have sufficient time to solve any issues or revert if it turns out
> to be too problematic.
>
> As agreed on during the [meeting], if there are no major concerns to
> this proposal in general within a week, I shall file a bug against GCC
> requesting PIE by default on all release architectures (with backing
> porters).
please re-use #835148
> If there are only major concerns with individual architectures, I will
> simply exclude said architectures in the "PIE by default" request.
>
> * Deadline for major concerns: Fri, 7th of October 2016.
>
> Fall-out
> ========
>
> There will be some possible fall-out from this change:
>
> * There will be some FTBFS caused by some packages needing a rebuild
> before reverse dependencies can enable PIE. These are a subset of
> the bugs filed in the [pie+bindnow] build tests.
>
> * Some packages may not be ready for PIE. These will have to disable
> it per package. A notable case being ghc (#712228), where we can
> reuse the patch from Ubuntu to work around the issue.
>
> * A possible issue from Matthias was that no one has done a large scale
> "PIE by default" on "arm* mips*".
>
> * There was concern about whether the 32bit arm architectures would be
> notably affected by the PIE slow down (like x86 used to be).
> It is not measured, but two arm porters did mention a possible
> slowdown
>
> * It was questioned whether it made sense to invest time and effort in
> enabling PIE for architectures which would not be included in Buster
> (armel?). Personally, I do not see an issue, if the porters are
> ready to put in the effort required.
>
> Thanks,
> ~Niels
>
> [meeting]:
> http://meetbot.debian.net/debian-release/2016/debian-release.2016-09-28-19.00.html
>
> [pie+bindnow]:
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906&users=balint%40balintreczey.hu;dist=unstable
>
>
>
>
Reply to: