Hi Guillem, 2016-10-27 23:49 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: > Hi, > > 2016-10-26 13:46 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: >> Hi, >> >> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guil...@debian.org>: >>> Hi! >>> >>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >>>> where PIE is enabled by default. I think enabling bindnow from dpkg >>>> would be better through the hardening flags because packages could >>>> disable it in a nicer and already established way. >>> >>> Hmm, I don't get why bindnow was enabled by default in gcc, while >>> relro (I'd assume) is not enabled by default, or is that enabled by >>> default now too? >> >> Default relro is enabled only on Ubuntu among other flags. Enabling >> bindnow was Matthias' change and we did not discuss it in advance. >> >> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 >> >>> >>> IMO either relro + bindnow should be enabled in gcc, or neither >>> should. I'm fine either way, but I find having a hardened compiler >>> is actually good, because it gives also hardened output for >>> non-packaged builds! >> >> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. >> In the original patches I wanted to follow Debian's practice of setting >> flags from dpkg, but there are pros and cons on each side. >> Setting relro + bindnow in GCC probably results less FTBS-s in packages >> where flags are not passed properly, while it makes harder to disable >> the flags from d/rules. >> >> I would like to see bindnow enabled in Stretch and the first phase of >> the freeze is near. Could you two (Matthias and Guillem) please find the >> variant which would please both of you? > > For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it > seems dpkg can set both.
I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you for that. Is there any particular reason for not enabling bindnow as well? Do you plan enabling it for Stretch? Cheers, Balint
