On 22/08/16 at 19:12 +0200, Bálint Réczey wrote: > Hi Guillem, > > 2016-08-21 14:02 GMT+02:00 Guillem Jover <guil...@debian.org>: > > Hi! > > > > On Sun, 2016-08-21 at 10:24:42 +0200, Bálint Réczey wrote: > >> I'm testing a set of patches [2] for gcc and dpkg which enable bindnow for > >> all > >> arches and PIE for amd64, ppc64el and s390x in sync with Ubuntu. > >> > >> My assumption was that this set of architectures need the least amount of > >> additional work since they are tested already in Ubuntu, but I would be > >> happy > >> if more ports would opt in for PIE. > >> > >> I plan filing wishlist bugs against dpkg and gcc with the patches > >> after I rebuilt a > >> few packages with the defaults. > > > > TBH I think PIE should in fact be safer to enable globally than > > bindnow, because the latter changes the run-time behavior and things > > might break (perhaps even silently) when failing to load plugins > > or similar. > > Yes, in that sense enabling PIE is safer indeed. Regarding bindnow > I don't expect too many surprises either, since other distributions > already tested enabling bindnow and probably they found > most issues. > > > > > From dpkg PoV enabling both, would at least require a full-archive > > rebuild, for bindnow ideally also a full autopkgtest run (as the > > updated dpkg FAQ states now, after Lucas Nussbaum approached me some > > weeks ago mentioning he was willing to do such archive-wide rebuild). > > The patches at [2] seem to work well and since you expressed that you would > prefer changing both toolchain and dpkg, too, I would like to suggest running > the rebuild with those patches. > > I think Matthias would be OK with the patch since it is very small and brings > Debian's gcc closer to Ubuntu's. > > Lucas, could you please run the rebuild with the three patches?
Hi, Results are available at https://people.debian.org/~lucas/logs/2016/08/30/pie-bindnow-20160830/ I did a full rebuild with bindnow and PIE enabled, then rebuilt all failed packages with a pristine unstable chroot. You can take a look at https://people.debian.org/~lucas/logs/2016/08/30/pie-bindnow-20160830/diff.txt and grep for "OK Failed" (failed with PIE+bindnow, built fine in unstable). (There are 1188 packages failing to build) Logs for both builds are available in the respective subdirectories. Lucas