On Wed, 2016-03-09 at 14:07:22 +0100, Bálint Réczey wrote: > 2016-03-09 12:09 GMT+01:00 Guillem Jover <guil...@debian.org>: > > On Tue, 2016-03-08 at 11:29:04 +0100, Bálint Réczey wrote: > >> 2016-03-08 1:52 GMT+01:00 Guillem Jover <guil...@debian.org>: > >> > Actually setting bindnow and PIE would be fine as part of the default > >> > build flags from dpkg, because those do not change the ABI in > >> > principle. And those are the only ones I'd accept from this bug > >> > report, but certainly not the ABI changing ones. > > > >> Do you mean you would be open to setting PIE and maybe bindnow as default > >> flags for a potential new architecture or even for existing ones like > >> amd64? > >> In the latter case would you like to discuss that on debian-devel? > >> I would support such changes and I think we are in time for enabling > >> PIE for Stretch > >> and bindnow for Stretch+1 (maybe Stretch). > > > > Setting PIE and bindnow for the proposed new arch seems fine to me, as > > its main raison d'etre is precisely to be hardened. I don't think > > anything has changed significantly to globally enable these by default > > everywhere though (i.e. performance and potential for breakage, at least).
> I think there were significant changes in the open source landscape. > Fedora 23 came out with PIE and bindnow by default: > https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description Actually you are right, as I also noticed a lintian commit adding a reference to: <https://software.intel.com/en-us/blogs/2014/12/26/new-optimizations-for-x86-in-upcoming-gcc-50-32bit-pic-mode> So the overhead might not be a problem anymore (at least on i386). > GCC 6 will add the --enable-default-pie configure option, doko already > pack-ported it to 5.x in unstable and it is already enabled for Ubuntu 390x: > http://anonscm.debian.org/viewvc/gcccvs/branches/sid/gcc-5/debian/rules.defs?view=markup#l1204 > > I think it would be reasonable to follow Fedora and making both PIE > and bindnow opt-in after fixing > most packages which don't build based an archive-wide rebuild test in advance. Out-out I guess, as they are already opt-in :). In any case if you want to pursue this, please take a look at: <https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F> :) Thanks, Guillem
