>>>>> "Guillem" == Guillem Jover <[email protected]> writes:
>> I agree that it would be the easier way and I also tried building
>> packages with patched GCC 5 setting PIE as default with success,
>> but we have a CTTE decision which says that we should set
>> hardening flags through dpkg:
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688
Guillem> Meh, I'm not going to bother reading that bug report, but
Guillem> if that's what the decision really says, then that decision
Guillem> is just bogus…
So, first, the TC didn't actually make a formal decision. The gcc
maintainer didn't like changing the compiler defaults; dpkg-buildflags
had gotten enough traction that it seemed to be a sufficient solution,
so the bug was closed with a specific note that any interested party
could reopen.
However, I think there are several factors that are different in this
situation:
* A big concern was introducing new warnings in environments where
-Werror was in use. That is something we sadly have a fair bit of
experience fixing (-Wuninitialized springs to mind) since the time of
that bug, and that seems not to apply to PIE
* More concerns about cases where the behavior would be wrong than seem
to apply here.
Regardless of where you make the change you'll break some packages.
That happens though; both gcc and dpkg-dev have gotten more strict abouv
various behaviors in ways that break packages within recent memory.
So, I think there's some good reading in the TC bug about the proes and
cons of various approaches, but not all of it applies, and there is a
bit of flame to wade through mixed in with some generally well-thought
discussion.
That bug definitely should not be considered binding in general, but
definitely not in this environment.
--Sam
