On Tue, 09 May 2017 12:26:48 -0500 Matthias Maier <tam...@gentoo.org> wrote:
> Title: GCC 6 defaults to USE="pie ssp" > Author: Matthias Maier <tam...@gentoo.org> > Content-Type: text/plain > Posted: 2017-05-07 > Revision: 1 > News-Item-Format: 1.0 > Display-If-Installed: >=sys-devel/gcc-6.3.0 > Display-If-Keyword: amd64 > > In Gentoo, several GCC features can be default disabled or enabled > via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have > already enabled default SSP [1]. Since the PIE patchset for default > position independent executable support was integrated upstream > [2,3], starting with gcc-6.3 we are also enabling PIE by default (via > a default-enabled use-flag pie) in regular (non-hardened) profiles. > > [Additionally, following Gentoo policies, the default-off use-flags > nopie (only present in Hardened) and nossp are replaced starting with > gcc-6 by default-on use-flags pie and ssp.] There is a *huge* difference between: <flag name="nopie">Disable PIE support (NOT FOR GENERAL USE)</flag> and the negation of: pie - Build programs as Position Independent Executables (a security hardening technique) Enabling the latter builds *everything* as PIE. > Be advised that switching from an older version to GCC 6 will enable > the PIE feature by default. This should not cause many problems, but > it may be necessary to recompile parts of your userland. An indicator > are linker errors of the form [4] Do you realize that this breaks linking against about any static lib ever built before upgrading ? And I'm not even considering people toggling the flag. While I believe it might be a bit too early to default-enable pie, why not, but the news item *must* contain instructions that people should 'emerge -e world' in order for it to work. Also, I don't believe default-pie should even be a useflag. It's always been forced-on for hardened and forced-off for non-hardened I think. Switching between the two types of profiles has always been difficult because of that kind of differences. I strongly believe this should stay that way (that is: this cant be toggled by a simple useflag). Bests, Alexis.
