On Tue, May 9, 2017, at 15:10 CDT, Alexis Ballier <aball...@gentoo.org> wrote:
> There is a *huge* difference between: > <flag name="nopie">Disable PIE support (NOT FOR GENERAL USE)</flag> > and the negation of: > pie - Build programs as Position Independent Executables (a security > hardening technique) > > Enabling the latter builds *everything* as PIE. Yes. > Do you realize that this breaks linking against about any static lib > ever built before upgrading ? And I'm not even considering people > toggling the flag. Yes, I am aware of this. On Tue, May 9, 2017, at 15:27 CDT, Mike Gilbert <flop...@gentoo.org> wrote: > I disagree. We might want to default the "pie" USE flag differently > depending on the profile, but there's no need to force it. Well, Alexis certainly makes a strong point. Breaking installed static archives by changing a use flag shouldn't be as easy as changing a useflag. So we might simply use.force the pie use flag depending on hardened/non-hardened profiles. I'll follow up with a proposed profile change forcing -pie for non hardened and pie for hardened profiles (instead of this news item). I have one question, though: For what arches do we have to disable pie? (The current patchset simply enables all.) Best, Matthias
