On Wed, May 10, 2017 at 01:44:06AM +0200, Andreas K. Huettel wrote:
> Am Dienstag, 9. Mai 2017, 22:10:21 CEST schrieb Alexis Ballier:
> >
> > Do you realize that this breaks linking against about any static lib
> > ever built before upgrading ? And I'm not even considering people
> > toggling the flag.
>
> Toggling the flag is definitely bad. So it should be either on or off.
>
> >
> > While I believe it might be a bit too early to default-enable pie, why
> > not, but the news item *must* contain instructions that people should
> > 'emerge -e world' in order for it to work.
> >
> > Also, I don't believe default-pie should even be a useflag. It's always
> > been forced-on for hardened and forced-off for non-hardened I think.
> > Switching between the two types of profiles has always been difficult
> > because of that kind of differences. I strongly believe this should stay
> > that way (that is: this cant be toggled by a simple useflag).
> >
>
> Well... Hanno and Matthias said Gentoo is about the only place where it isn't
> on by default. So why are we "early", and why not just force it on for
> everybody?
I just want to make sure im understanding this right, only .a files that
were compiled without -pie will cause issues if you compile the later
thing that uses the .a with -pie?
So:
1) people on hardened profiles are going to be fine no matter what?
2) only packages that have .a files need to be rebuild? (not -e @world)?
3) .a are static libs for compiling static binaries right, so nothing
will break at runtime from the change? only build failures?
I definitley think everyone on gentoo should have PIE and SSP by default
nowadays. Whats the status of -zrelro -znow on non-hardened?
This might be the kind of thing where a new set of profiles is a good
idea
1) hardened would force the flags on,
2) 13.0 non-hardened would force them off
3) 17.0 non-hardened would force them on and people have to rebuild when
they change profiles
Im not sure how the timing of the new profile would work? only make them
once gcc-6 is stable so everyone does it at once?
-- Jason
