Hi All, 2016-11-06 13:20 GMT+01:00 Bálint Réczey <bal...@balintreczey.hu>: > Hi Guillem, > > 2016-10-27 23:49 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: >> Hi, >> >> 2016-10-26 13:46 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: >>> Hi, >>> >>> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guil...@debian.org>: >>>> Hi! >>>> >>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >>>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >>>>> where PIE is enabled by default. I think enabling bindnow from dpkg >>>>> would be better through the hardening flags because packages could >>>>> disable it in a nicer and already established way. >>>> >>>> Hmm, I don't get why bindnow was enabled by default in gcc, while >>>> relro (I'd assume) is not enabled by default, or is that enabled by >>>> default now too? >>> >>> Default relro is enabled only on Ubuntu among other flags. Enabling >>> bindnow was Matthias' change and we did not discuss it in advance. >>> >>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 >>> >>>> >>>> IMO either relro + bindnow should be enabled in gcc, or neither >>>> should. I'm fine either way, but I find having a hardened compiler >>>> is actually good, because it gives also hardened output for >>>> non-packaged builds! >>> >>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. >>> In the original patches I wanted to follow Debian's practice of setting >>> flags from dpkg, but there are pros and cons on each side. >>> Setting relro + bindnow in GCC probably results less FTBS-s in packages >>> where flags are not passed properly, while it makes harder to disable >>> the flags from d/rules. >>> >>> I would like to see bindnow enabled in Stretch and the first phase of >>> the freeze is near. Could you two (Matthias and Guillem) please find the >>> variant which would please both of you? >> >> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it >> seems dpkg can set both. > > I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you > for that. > Is there any particular reason for not enabling bindnow as well? > > Do you plan enabling it for Stretch?
I have uploaded a fixed package with the attached patch to DELAYED/10. Cheers, Balint
diff -Nru dpkg-1.18.15/debian/changelog dpkg-1.18.15+nmu1/debian/changelog --- dpkg-1.18.15/debian/changelog 2016-11-16 03:28:05.000000000 +0100 +++ dpkg-1.18.15+nmu1/debian/changelog 2016-12-14 13:42:35.000000000 +0100 @@ -1,3 +1,10 @@ +dpkg (1.18.15+nmu1) unstable; urgency=medium + + * Non-maintainer upload. + * Make dpkg-buildflags enable bindnow by default (Closes: #835146) + + -- Balint Reczey <bal...@balintreczey.hu> Wed, 14 Dec 2016 13:40:17 +0100 + dpkg (1.18.15) unstable; urgency=medium [ Guillem Jover ] diff -Nru dpkg-1.18.15/man/dpkg-buildflags.man dpkg-1.18.15+nmu1/man/dpkg-buildflags.man --- dpkg-1.18.15/man/dpkg-buildflags.man 2016-11-14 00:54:13.000000000 +0100 +++ dpkg-1.18.15+nmu1/man/dpkg-buildflags.man 2016-12-14 13:40:13.000000000 +0100 @@ -339,7 +339,7 @@ . .TP .B bindnow -This setting (disabled by default) adds +This setting (enabled by default) adds .B \-Wl,\-z,now to \fBLDFLAGS\fP. During program load, all dynamic symbols are resolved, allowing for the entire PLT to be marked read-only (due to \fBrelro\fP diff -Nru dpkg-1.18.15/scripts/Dpkg/Vendor/Debian.pm dpkg-1.18.15+nmu1/scripts/Dpkg/Vendor/Debian.pm --- dpkg-1.18.15/scripts/Dpkg/Vendor/Debian.pm 2016-11-14 00:54:14.000000000 +0100 +++ dpkg-1.18.15+nmu1/scripts/Dpkg/Vendor/Debian.pm 2016-12-14 13:40:08.000000000 +0100 @@ -287,7 +287,7 @@ fortify => 1, format => 1, relro => 1, - bindnow => 0, + bindnow => 1, ); my %builtin_feature = ( pie => 1,