Hi All,
2016-11-06 13:20 GMT+01:00 Bálint Réczey <bal...@balintreczey.hu>:
> Hi Guillem,
>
> 2016-10-27 23:49 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>:
>> Hi,
>>
>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>:
>>> Hi,
>>>
>>> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guil...@debian.org>:
>>>> Hi!
>>>>
>>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>>>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>>>>> where PIE is enabled by default. I think enabling bindnow from dpkg
>>>>> would be better through the hardening flags because packages could
>>>>> disable it in a nicer and already established way.
>>>>
>>>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>>>> relro (I'd assume) is not enabled by default, or is that enabled by
>>>> default now too?
>>>
>>> Default relro is enabled only on Ubuntu among other flags. Enabling
>>> bindnow was Matthias' change and we did not discuss it in advance.
>>>
>>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>>>
>>>>
>>>> IMO either relro + bindnow should be enabled in gcc, or neither
>>>> should. I'm fine either way, but I find having a hardened compiler
>>>> is actually good, because it gives also hardened output for
>>>> non-packaged builds!
>>>
>>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
>>> In the original patches I wanted to follow Debian's practice of setting
>>> flags from dpkg, but there are pros and cons on each side.
>>> Setting relro + bindnow in GCC probably results less FTBS-s in packages
>>> where flags are not passed properly, while it makes harder to disable
>>> the flags from d/rules.
>>>
>>> I would like to see bindnow enabled in Stretch and the first phase of
>>> the freeze is near. Could you two (Matthias and Guillem) please find the
>>> variant which would please both of you?
>>
>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
>> seems dpkg can set both.
>
> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
> for that.
> Is there any particular reason for not enabling bindnow as well?
>
> Do you plan enabling it for Stretch?
I have uploaded a fixed package with the attached patch to DELAYED/10.
Cheers,
Balint
diff -Nru dpkg-1.18.15/debian/changelog dpkg-1.18.15+nmu1/debian/changelog
--- dpkg-1.18.15/debian/changelog 2016-11-16 03:28:05.000000000 +0100
+++ dpkg-1.18.15+nmu1/debian/changelog 2016-12-14 13:42:35.000000000 +0100
@@ -1,3 +1,10 @@
+dpkg (1.18.15+nmu1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Make dpkg-buildflags enable bindnow by default (Closes: #835146)
+
+ -- Balint Reczey <bal...@balintreczey.hu> Wed, 14 Dec 2016 13:40:17 +0100
+
dpkg (1.18.15) unstable; urgency=medium
[ Guillem Jover ]
diff -Nru dpkg-1.18.15/man/dpkg-buildflags.man dpkg-1.18.15+nmu1/man/dpkg-buildflags.man
--- dpkg-1.18.15/man/dpkg-buildflags.man 2016-11-14 00:54:13.000000000 +0100
+++ dpkg-1.18.15+nmu1/man/dpkg-buildflags.man 2016-12-14 13:40:13.000000000 +0100
@@ -339,7 +339,7 @@
.
.TP
.B bindnow
-This setting (disabled by default) adds
+This setting (enabled by default) adds
.B \-Wl,\-z,now
to \fBLDFLAGS\fP. During program load, all dynamic symbols are resolved,
allowing for the entire PLT to be marked read-only (due to \fBrelro\fP
diff -Nru dpkg-1.18.15/scripts/Dpkg/Vendor/Debian.pm dpkg-1.18.15+nmu1/scripts/Dpkg/Vendor/Debian.pm
--- dpkg-1.18.15/scripts/Dpkg/Vendor/Debian.pm 2016-11-14 00:54:14.000000000 +0100
+++ dpkg-1.18.15+nmu1/scripts/Dpkg/Vendor/Debian.pm 2016-12-14 13:40:08.000000000 +0100
@@ -287,7 +287,7 @@
fortify => 1,
format => 1,
relro => 1,
- bindnow => 0,
+ bindnow => 1,
);
my %builtin_feature = (
pie => 1,
