On Wed, May 10, 2017, at 00:07 CDT, Jason Zaman <perfin...@gentoo.org> wrote:
> I just want to make sure im understanding this right, only .a files that > were compiled without -pie will cause issues if you compile the later > thing that uses the .a with -pie? > So: > 1) people on hardened profiles are going to be fine no matter what? Yes. > 2) only packages that have .a files need to be rebuild? (not -e @world)? Essentially yes. (There might be one or two additional catches for languages with special linkage/libraries. For example, haskell packages have to force -no-pie - which they already do :-]) > 3) .a are static libs for compiling static binaries right, so nothing > will break at runtime from the change? only build failures? Yes. > I definitley think everyone on gentoo should have PIE and SSP by default > nowadays. Whats the status of -zrelro -znow on non-hardened? The essential difference between non-hardened and hardened is additional -fstack-protector-all -fstrict_overflow -znow on hardened. > This might be the kind of thing where a new set of profiles is a good > idea > 1) hardened would force the flags on, > 2) 13.0 non-hardened would force them off > 3) 17.0 non-hardened would force them on and people have to rebuild when > they change profiles *mhm* A profile update would also be an idea. > Im not sure how the timing of the new profile would work? only make them > once gcc-6 is stable so everyone does it at once? Best, Matthias
