Package: gcc-6 Version: 6.1.1-12 Severity: wishlist Tags: patch Dear Matthias,
As a continuation of the discussions [1][2] on debian-devel I'm attaching the simple patch that implements enabling the PIE hardening flags for a subset of the architectures. I'm open to changing the subset, it matches the set selected in Ubuntu as a start, but porters may have different preferences [2]. I'm continuing with a full archive rebuild to see the amount of packages to be updated for the change in the default flags. The same patch applies to gcc-5, too, if it does not get removed from the archive before the patch is accepted for gcc-6. Cheers, Balint [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>From 096fba7df4a9d699015c5f5457be7fdd21cde33e Mon Sep 17 00:00:00 2001 From: Balint Reczey <bal...@balintreczey.hu> Date: Sun, 3 Jul 2016 21:09:36 +0200 Subject: [PATCH] Enable PIE on Debian for amd64, ppc64el and s390x --- debian/rules.defs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/debian/rules.defs b/debian/rules.defs index 47a067d..443eba4 100644 --- a/debian/rules.defs +++ b/debian/rules.defs @@ -1222,16 +1222,19 @@ endif # pie by default -------------------- with_pie := +pie_archs := amd64 ppc64el s390x ifeq ($(distribution),Ubuntu) ifeq (,$(filter $(distrelease),lucid precise trusty utopic vivid wily)) pie_archs = s390x + else + pie_archs = endif ifeq (,$(filter $(distrelease),lucid precise trusty utopic vivid wily xenial)) pie_archs += amd64 ppc64el endif - ifneq (,$(filter $(DEB_TARGET_ARCH),$(pie_archs))) - with_pie := yes - endif +endif +ifneq (,$(filter $(DEB_TARGET_ARCH),$(pie_archs))) + with_pie := yes endif # gold -------------------- -- 2.1.4