Le 15 mai 2016 20:49:38 GMT+02:00, Niels Thykier <ni...@thykier.net> a écrit : >Bálint Réczey: >> Hi, >> >> [...] >> > >Hi, > >> I think making PIE and bindnow default in dpkg (at least for amd64) >would be >> perfect release goals for Stretch. >> > >I support the end goal, but I suspect we should enable PIE by default >via GCC-6's new configure switch[1]. Assuming it does what I hope, >then >it will work better than enabling PIE via dpkg-buildflags. > > * The major issue with PIE by default is that it is not compatible > with -fPIC (and presumably also -static), which causes FTBFS or > broken ELF binaries.
It will also break some package like ImageMagick... Documentation how to fix (without reverting default) is not usuable by upstream. So please improve documentation first. Bastien > >* Assuming the GCC option does what I hope, then it would automatically > disable PIE for irrelevant outputs. > >My assumption seems to be aligned with the approach taking by Ubuntu. > >> This would make Debian on par with Fedora and Ubuntu in that regard. >> > >FTR, Fedora seems to have some special logic for adding PIE only to >executables. > >> We briefly discussed that with Guillem in a related bug report: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812783#42 >> >> I think the next step could be an archive rebuild with the changed >defaults >> if we would like to pursue this: >> >https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F >> >> I planned starting a discussion on debian-devel about PIE + bindnow, >> too, after checking >> all the packages which contain statically compiled binaries because >> they may need patching >> to disable PIE flags based on Lunar's post: >> https://people.debian.org/~lunar/blog/posts/aslr_now/ >> >> Cheers, >> Balint >> >>>[...] > >In summary: > > * I would welcome bindnow by default via dpkg-buildflags. > > * I would also love to have PIE as default for Stretch although I fear > dpkg-buildflags is the wrong approach for that particular flag. > >Thanks, >~Niels > >[1] https://gcc.gnu.org/gcc-6/changes.html > >"""The --enable-default-pie configure option enables generation of PIE >by default.""" -- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
