Hi, 2016-10-26 13:46 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: > Hi, > > 2016-10-26 5:00 GMT+02:00 Guillem Jover <guil...@debian.org>: >> Hi! >> >> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >>> where PIE is enabled by default. I think enabling bindnow from dpkg >>> would be better through the hardening flags because packages could >>> disable it in a nicer and already established way. >> >> Hmm, I don't get why bindnow was enabled by default in gcc, while >> relro (I'd assume) is not enabled by default, or is that enabled by >> default now too? > > Default relro is enabled only on Ubuntu among other flags. Enabling > bindnow was Matthias' change and we did not discuss it in advance. > > http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 > >> >> IMO either relro + bindnow should be enabled in gcc, or neither >> should. I'm fine either way, but I find having a hardened compiler >> is actually good, because it gives also hardened output for >> non-packaged builds! > > I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. > In the original patches I wanted to follow Debian's practice of setting > flags from dpkg, but there are pros and cons on each side. > Setting relro + bindnow in GCC probably results less FTBS-s in packages > where flags are not passed properly, while it makes harder to disable > the flags from d/rules. > > I would like to see bindnow enabled in Stretch and the first phase of > the freeze is near. Could you two (Matthias and Guillem) please find the > variant which would please both of you?
For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it seems dpkg can set both. Cheers, Balint
