Hi Guillem, For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where PIE is enabled by default. I think enabling bindnow from dpkg would be better through the hardening flags because packages could disable it in a nicer and already established way.
Cheers, Balint 2016-10-10 14:06 GMT+02:00 Balint Reczey <bal...@balintreczey.hu>: > Dear Guillem, > > On Tue, 23 Aug 2016 00:14:25 +0200 Balint Reczey <bal...@balintreczey.hu> > wrote: > ... >> Dear Guillem, >> >> As a continuation of the discussions [1][2] on debian-devel I'm >> attaching the simple patch that implements enabling the bindnow >> hardening flags. >> >> I'm continuing with the rebuild/autopkgtest tests according to >> the Dpkg FAQ, hence the moreinfo tag. > > The rebuild (with PIE and bindnow enabled) resulted ~1000 FTBFS > cases from which all seem to be related to enabling PIE by > default [3]. > > ~70 of the filed related bugs [4] are still open. > > Since the rebuild was run with tests enabled this seems to be a > good indication that we can expect very few breakages from > enabling bindnow by default. > > Running autopkgtest would need more work as AFAIK there is no > automated method for doing it like rebuilds [5]. > > I'm wondering if you find the autopkgtest round necessary for > this change. > > Cheers, > Balint > >> >> Cheers, >> Balint >> >> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html >> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html > > [3] https://wiki.debian.org/Hardening/PIEByDefaultTransition > [4] > https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906&users=balint%40balintreczey.hu;dist=unstable > [5] https://wiki.debian.org/qa.debian.org/ArchiveTesting
