Hi Maximiliano, 2016-10-10 14:21 GMT+02:00 Maximiliano Curia <m...@debian.org>: > ¡Hola Niels! > > El 2016-10-10 a las 05:44 +0000, Niels Thykier escribió: >> >> Niels Thykier: >>> >>> As brought up on the meeting last night, I think we should try to go for >>> PIE by default in Stretch on all release architectures! * It is a >>> substantial hardening feature * Upstream has vastly reduced the performance >>> penalty for x86 * The majority of all porters believe their release >>> architecture is ready for it. * We have sufficient time to solve any >>> issues or revert if it turns out to be too problematic. > > >>> [...] > > >>> * Deadline for major concerns: Fri, 7th of October 2016. > > >> It appears that there were no major concerns. I will follow up #835148 >> and request PIE by default for the following architectures. > > >> * amd64 * arm64 * armel * armhf * i386 * mips * mips64el * mipsel * >> ppc64el * s390x > > > Such a change will produce unneeded FTBFS's in libraries using -fPIC (such > as qt5 and all it's dependencies). > > Afaik, -fPIC is stronger than -fPIE, at the same time, -fPIE is incompatible > with -fPIC and -fPIE makes little sense in shared libraries. > > And while a single patch should be trivial, I fear they would be many > specific ones.
Have you seen the results of the test-rebuild performed with the changed defaults? I have put together a page with related links and information where you can find the rebuild results, too: https://wiki.debian.org/Hardening/PIEByDefaultTransition Cheers, Balint
