Hi Guillem, 2016-03-08 1:52 GMT+01:00 Guillem Jover <[email protected]>: > Control: block -1 by 812782 > > On Fri, 2016-01-29 at 12:55:42 +0100, Bálint Réczey wrote: >> 2016-01-29 0:46 GMT+01:00 Guillem Jover <[email protected]>: >> > On Tue, 2016-01-26 at 15:33:40 +0100, Balint Reczey wrote: >> >> Package: dpkg >> >> Version: 1.18.4 >> >> Severity: wishlist >> >> Tags: patch >> >> User: [email protected] >> >> Usertags: hardened1-linux-amd64 >> > >> >> This is the second patch enabling extra flags in dpkg in case the >> >> hardened1-linux-amd64 port is accepted in #812782. >> > >> >> diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm >> >> index db40b2c..2f39d82 100644 >> >> --- a/scripts/Dpkg/Vendor/Debian.pm >> >> +++ b/scripts/Dpkg/Vendor/Debian.pm >> >> @@ -177,6 +177,14 @@ sub _add_reproducible_flags { >> > >> >> + if ($abi =~ /^(?:gnuhardened1)$/) { >> >> + # Enable bindnow on hardened ports >> >> + $use_feature{bindnow} = 1; >> >> + } >> >> + >> >> > Unfortunately I don't think this is a good idea. Due to at least two >> > reasons. First not all packages are using dpkg-buildflags, which means >> > that many will simply fail to build if one of the libraries they use >> > is using ASAN but the program is not (AFAIUI). And because this is > >> I plan providing patches for those packages, but I see your point. >> >> > part of the ABI so it should really be a default in the compiler. This >> > is part of the architecure definition. So this to me seems like the >> > wrong place to set these. > >> I'm working towards to adding those as default GCC flags. I have already >> added >> PIE which I previously set in dpkg: #812889 . > > Actually setting bindnow and PIE would be fine as part of the default > build flags from dpkg, because those do not change the ABI in > principle. And those are the only ones I'd accept from this bug > report, but certainly not the ABI changing ones. Do you mean you would be open to setting PIE and maybe bindnow as default flags for a potential new architecture or even for existing ones like amd64? In the latter case would you like to discuss that on debian-devel? I would support such changes and I think we are in time for enabling PIE for Stretch and bindnow for Stretch+1 (maybe Stretch).
> >> Setting the flags in dpkg makes it possible to create the port before the GCC >> patches are stable. My thinking was that I could migrate to changing GCC >> later >> without breaking the ABI. > > Not an option really. Having a stable ABI is a prerequisite for any new > dpkg architecture, until that has happened I'm not planning on considering > such additions. OK, I agree. Cheers, Balint
