Hi, 2016-10-26 5:00 GMT+02:00 Guillem Jover <guil...@debian.org>: > Hi! > > On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >> where PIE is enabled by default. I think enabling bindnow from dpkg >> would be better through the hardening flags because packages could >> disable it in a nicer and already established way. > > Hmm, I don't get why bindnow was enabled by default in gcc, while > relro (I'd assume) is not enabled by default, or is that enabled by > default now too?
Default relro is enabled only on Ubuntu among other flags. Enabling bindnow was Matthias' change and we did not discuss it in advance. http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 > > IMO either relro + bindnow should be enabled in gcc, or neither > should. I'm fine either way, but I find having a hardened compiler > is actually good, because it gives also hardened output for > non-packaged builds! I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. In the original patches I wanted to follow Debian's practice of setting flags from dpkg, but there are pros and cons on each side. Setting relro + bindnow in GCC probably results less FTBS-s in packages where flags are not passed properly, while it makes harder to disable the flags from d/rules. I would like to see bindnow enabled in Stretch and the first phase of the freeze is near. Could you two (Matthias and Guillem) please find the variant which would please both of you? Cheers, Balint
