On 2016-05-15 21:45:55, Bálint Réczey wrote: > Hi Niels, > > 2016-05-15 20:49 GMT+02:00 Niels Thykier <ni...@thykier.net>: > > Bálint Réczey: > >> Hi, > >> > >> [...] > >> > > > > Hi, > > > >> I think making PIE and bindnow default in dpkg (at least for amd64) would > >> be > >> perfect release goals for Stretch. > >> > > > > I support the end goal, but I suspect we should enable PIE by default > > via GCC-6's new configure switch[1]. Assuming it does what I hope, then > > it will work better than enabling PIE via dpkg-buildflags. > > > > * The major issue with PIE by default is that it is not compatible > > with -fPIC (and presumably also -static), which causes FTBFS or > > broken ELF binaries. > > > > * Assuming the GCC option does what I hope, then it would automatically > > disable PIE for irrelevant outputs. > > > > My assumption seems to be aligned with the approach taking by Ubuntu. > > I agree that it would be the easier way and I also tried building packages > with > patched GCC 5 setting PIE as default with success, but we have a CTTE > decision which says that we should set hardening flags through dpkg: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688
I'm not familiar with the history of that bug (272 updates!), so excuse my question, but: - that bug seems to have been opened in the context of custom patches to GCC, back in 2009-2012 - the CTTE seems to have made an informal decision (see last update #272) on that topic Would it make sense to re-evaluate that decision in the context of 2016, i.e. (if I understand correctly) no patching of GCC 6 needed? Just a quick ask to the CTTE asking if the decision is still valid given today's situation. regards, iustin
