Bálint Réczey: > Hi, > > [...] > Hi,
> I think making PIE and bindnow default in dpkg (at least for amd64) would be > perfect release goals for Stretch. > I support the end goal, but I suspect we should enable PIE by default via GCC-6's new configure switch[1]. Assuming it does what I hope, then it will work better than enabling PIE via dpkg-buildflags. * The major issue with PIE by default is that it is not compatible with -fPIC (and presumably also -static), which causes FTBFS or broken ELF binaries. * Assuming the GCC option does what I hope, then it would automatically disable PIE for irrelevant outputs. My assumption seems to be aligned with the approach taking by Ubuntu. > This would make Debian on par with Fedora and Ubuntu in that regard. > FTR, Fedora seems to have some special logic for adding PIE only to executables. > We briefly discussed that with Guillem in a related bug report: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812783#42 > > I think the next step could be an archive rebuild with the changed defaults > if we would like to pursue this: > https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F > > I planned starting a discussion on debian-devel about PIE + bindnow, > too, after checking > all the packages which contain statically compiled binaries because > they may need patching > to disable PIE flags based on Lunar's post: > https://people.debian.org/~lunar/blog/posts/aslr_now/ > > Cheers, > Balint > >>[...] In summary: * I would welcome bindnow by default via dpkg-buildflags. * I would also love to have PIE as default for Stretch although I fear dpkg-buildflags is the wrong approach for that particular flag. Thanks, ~Niels [1] https://gcc.gnu.org/gcc-6/changes.html """The --enable-default-pie configure option enables generation of PIE by default."""
signature.asc
Description: OpenPGP digital signature
