Hi, 2017-03-08 21:30 GMT+01:00 Bálint Réczey <[email protected]>: > Hi All. > > 2017-02-21 12:44 GMT+01:00 Bálint Réczey <[email protected]>: >> Hi All, >> >> 2017-02-19 12:46 GMT+01:00 Julien Cristau <[email protected]>: >>> On Sun, Feb 19, 2017 at 12:45:09 +0100, Julien Cristau wrote: >>> >>>> On Wed, Feb 15, 2017 at 16:49:08 +0100, Bálint Réczey wrote: >>>> >>>> > Dear Release Team, >>>> > >>>> > GCC uses PIE by default in unstable and testing but most packages >>>> > which haven't been rebuilt since the transition still ship unprotected >>>> > binaries [1]. >>>> > >>>> > If the Team agrees I suggest rebuilding the packages which would >>>> > benefit from a rebuild. In case this gets a green light I would >>>> > volunteer to perform a test rebuild for each package to see if the >>>> > lintian warning goes away. >>>> > >>>> I don't think rebuilding the world on all release architectures in the >>>> middle of the freeze is a good idea. It's adding churn and risk and >>>> work which IMO outweigh the supposed benefits. >>>> >>> That said a test rebuild (outside the archive) on all/most architectures >>> wouldn't be a bad idea. >> >> I have finished the rebuild on amd64. >> 3404 packages built successfully [1] >> 81 still had lintian warning about no-pie binary[2] >> 3324 would rebuild and the result would countain only PIE binaries per >> Lintan [3] >> >> IMHO if a the rebuild of a package breaks it or other packages then >> this would be an RC bug in the package thus I believe this risk is not >> a very good reason for not performing the binNMUs. >> >> I am very happy about the progress of the release and I don't want to >> risk delaying Stretch, but I think >> we are at the beginning of the freeze period, rather than in the middle. :-) >> >> I also think that it would be reasonable to plan mass rebuilds at the >> beginning of each deep freeze period when the release benefits from it >> greatly. The call would be done by the Release Team, but announcing >> the possibility of such mass rebuilds would let others be prepared for >> it. > > Do you have any comment? Or is it the end of story for those ~3k > packages ready for PIE but without PIE in Stretch?
I'm sorry, I have not checked the PIE progress, just the emails. I see PIE rebuilds for packages listed without PIE coverage. The lintian tag graph also shows the progress, thanks! https://lintian.debian.org/tags/hardening-no-pie.html Cheers, Balint > > Cheers, > Balint > >> >> Cheers, >> Balint >> >> [1] https://people.debian.org/~rbalint/pie-mass-rebuild/built-changes.txt >> [2] >> https://people.debian.org/~rbalint/pie-mass-rebuild/sources-still-lintian-hardening-no-pie.txt >> [3] >> https://people.debian.org/~rbalint/pie-mass-rebuild/sources-rebuild-works.txt
