Hi Guillem, 2016-03-09 12:09 GMT+01:00 Guillem Jover <[email protected]>: > Hi! > > On Tue, 2016-03-08 at 11:29:04 +0100, Bálint Réczey wrote: >> 2016-03-08 1:52 GMT+01:00 Guillem Jover <[email protected]>: >> > Actually setting bindnow and PIE would be fine as part of the default >> > build flags from dpkg, because those do not change the ABI in >> > principle. And those are the only ones I'd accept from this bug >> > report, but certainly not the ABI changing ones. > >> Do you mean you would be open to setting PIE and maybe bindnow as default >> flags for a potential new architecture or even for existing ones like amd64? >> In the latter case would you like to discuss that on debian-devel? >> I would support such changes and I think we are in time for enabling >> PIE for Stretch >> and bindnow for Stretch+1 (maybe Stretch). > > Setting PIE and bindnow for the proposed new arch seems fine to me, as > its main raison d'etre is precisely to be hardened. I don't think > anything has changed significantly to globally enable these by default > everywhere though (i.e. performance and potential for breakage, at least). I think there were significant changes in the open source landscape. Fedora 23 came out with PIE and bindnow by default: https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description
Lunar also suggested changing pie to opt-out rather than keeping it opt-in: https://people.debian.org/~lunar/blog/posts/aslr_now/ GCC 6 will add the --enable-default-pie configure option, doko already pack-ported it to 5.x in unstable and it is already enabled for Ubuntu 390x: http://anonscm.debian.org/viewvc/gcccvs/branches/sid/gcc-5/debian/rules.defs?view=markup#l1204 I think it would be reasonable to follow Fedora and making both PIE and bindnow opt-in after fixing most packages which don't build based an archive-wide rebuild test in advance. Cheers, Balint
