Hi, 2016-12-17 10:17 GMT+01:00 Julien Cristau <jcris...@debian.org>: > On Sat, Dec 17, 2016 at 09:20:40 +0100, Bálint Réczey wrote: > >> >> >> Considering that we are already in the transition freeze I suggest >> >> >> going with enabling bindnow for all architectures in dpkg and >> >> >> for Stretch+1 the responsibility of setting some hardening flags >> >> >> could be transferred to gcc. >> >> >> IMO this is not a transition because the change does not affect >> >> >> package interdependencies. >> >> > >> >> > Is there any update on this? >> > >> > I've not seen any reply from the release team, no. And as explicitly >> > mentioned before multiple times now, this has the potential to impact >> > the release by introducing subtle and possibly hard to spot errors at >> > *run-time*, which might be triggered by simple a upload or a binNMU w/o >> > the maintainer being in the loop and knowing they have enabled bindnow. >> > So I want the release team to be involved in ACKing this potentially >> > release breaking change. >> >> I would like to kindly ask the Release Team to share its position on the >> bindnow question since Guillem don't seem to let this move forward >> without that. >> > That is very much not happening for stretch.
This is a bit terse and a bit late but DD-s are still free to enable bindnow per package in the next 7 days. Affected packages: https://lintian.debian.org/tags/hardening-no-bindnow.html Thanks, Balint
