Hi Niels, 2016-05-15 20:49 GMT+02:00 Niels Thykier <ni...@thykier.net>: > Bálint Réczey: >> Hi, >> >> [...] >> > > Hi, > >> I think making PIE and bindnow default in dpkg (at least for amd64) would be >> perfect release goals for Stretch. >> > > I support the end goal, but I suspect we should enable PIE by default > via GCC-6's new configure switch[1]. Assuming it does what I hope, then > it will work better than enabling PIE via dpkg-buildflags. > > * The major issue with PIE by default is that it is not compatible > with -fPIC (and presumably also -static), which causes FTBFS or > broken ELF binaries. > > * Assuming the GCC option does what I hope, then it would automatically > disable PIE for irrelevant outputs. > > My assumption seems to be aligned with the approach taking by Ubuntu.
I agree that it would be the easier way and I also tried building packages with patched GCC 5 setting PIE as default with success, but we have a CTTE decision which says that we should set hardening flags through dpkg: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688 > >> This would make Debian on par with Fedora and Ubuntu in that regard. >> > > FTR, Fedora seems to have some special logic for adding PIE only to > executables. > >> We briefly discussed that with Guillem in a related bug report: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812783#42 >> >> I think the next step could be an archive rebuild with the changed defaults >> if we would like to pursue this: >> https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F >> >> I planned starting a discussion on debian-devel about PIE + bindnow, >> too, after checking >> all the packages which contain statically compiled binaries because >> they may need patching >> to disable PIE flags based on Lunar's post: >> https://people.debian.org/~lunar/blog/posts/aslr_now/ >> >> Cheers, >> Balint >> >>>[...] > > In summary: > > * I would welcome bindnow by default via dpkg-buildflags. > > * I would also love to have PIE as default for Stretch although I fear > dpkg-buildflags is the wrong approach for that particular flag. I would be happy with either of the approaches. Cheers, Balint > > Thanks, > ~Niels > > [1] https://gcc.gnu.org/gcc-6/changes.html > > """The --enable-default-pie configure option enables generation of PIE > by default."""
