Hi Matthias, 2016-12-14 15:09 GMT+01:00 Matthias Klose <d...@debian.org>: > On 14.12.2016 13:58, Bálint Réczey wrote: >> Hi All, >> >> 2016-11-06 13:20 GMT+01:00 Bálint Réczey <bal...@balintreczey.hu>: >>> Hi Guillem, >>> >>> 2016-10-27 23:49 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: >>>> Hi, >>>> >>>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: >>>>> Hi, >>>>> >>>>> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guil...@debian.org>: >>>>>> Hi! >>>>>> >>>>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >>>>>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >>>>>>> where PIE is enabled by default. I think enabling bindnow from dpkg >>>>>>> would be better through the hardening flags because packages could >>>>>>> disable it in a nicer and already established way. >>>>>> >>>>>> Hmm, I don't get why bindnow was enabled by default in gcc, while >>>>>> relro (I'd assume) is not enabled by default, or is that enabled by >>>>>> default now too? >>>>> >>>>> Default relro is enabled only on Ubuntu among other flags. Enabling >>>>> bindnow was Matthias' change and we did not discuss it in advance. >>>>> >>>>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 >>>>> >>>>>> >>>>>> IMO either relro + bindnow should be enabled in gcc, or neither >>>>>> should. I'm fine either way, but I find having a hardened compiler >>>>>> is actually good, because it gives also hardened output for >>>>>> non-packaged builds! >>>>> >>>>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. >>>>> In the original patches I wanted to follow Debian's practice of setting >>>>> flags from dpkg, but there are pros and cons on each side. >>>>> Setting relro + bindnow in GCC probably results less FTBS-s in packages >>>>> where flags are not passed properly, while it makes harder to disable >>>>> the flags from d/rules. >>>>> >>>>> I would like to see bindnow enabled in Stretch and the first phase of >>>>> the freeze is near. Could you two (Matthias and Guillem) please find the >>>>> variant which would please both of you? >>>> >>>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it >>>> seems dpkg can set both. >>> >>> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you >>> for that. >>> Is there any particular reason for not enabling bindnow as well? >>> >>> Do you plan enabling it for Stretch? >> >> I have uploaded a fixed package with the attached patch to DELAYED/10. > > that enables bindnow on any architecture whether pie is enabled or not. is > this > intended?
Yes, relro is enabled by default on all architectures, too. Cheers, Balint
