On Wed, 10 May 2017 01:44:06 +0200 "Andreas K. Huettel" <dilfri...@gentoo.org> wrote: > > > > While I believe it might be a bit too early to default-enable pie, > > why not, but the news item *must* contain instructions that people > > should 'emerge -e world' in order for it to work. > > > > Also, I don't believe default-pie should even be a useflag. It's > > always been forced-on for hardened and forced-off for non-hardened > > I think. Switching between the two types of profiles has always > > been difficult because of that kind of differences. I strongly > > believe this should stay that way (that is: this cant be toggled by > > a simple useflag). > > Well... Hanno and Matthias said Gentoo is about the only place where > it isn't on by default. So why are we "early", and why not just force > it on for everybody?
We're early because it has not been prepared. It has just been toggled to default on *after* unmasking gcc-6 without even a tinderbox run. We have no real idea of the fallout. As for Hanno's claim that others are doing it, well, I'd say that's a really good opportunity to have a look at their findings: Fedora (which did the emerge -e world thing): https://fedoraproject.org/wiki/Changes/Harden_All_Packages From the tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1199775 We can find a few runtime failures: https://bugzilla.redhat.com/show_bug.cgi?id=956868 (no idea) https://bugzilla.redhat.com/show_bug.cgi?id=952946 (requires kernel 4.1+) https://bugzilla.redhat.com/show_bug.cgi?id=1238804 (building perl with pie seems to make some perl packages fail at runtime) https://bugzilla.redhat.com/show_bug.cgi?id=1228570 (mono borkage) Ubuntu: https://wiki.ubuntu.com/SteveBeattie/PIENotes https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8315122 (Qt checking type of an executable, which changes after enabling pie) https://debbugs.gnu.org/cgi/bugreport.cgi?bug=18780 (emacs segfaults with pie, has to use -no-pie) But probably the debian transition is the best to look for since they'd be the ones with closest release methodology as us (with testing/unstable): https://wiki.debian.org/Hardening/PIEByDefaultTransition The first test build finished with 1188 packages failing .... So, yes, I do believe we need a more serious plan to enable pie by default :) Alexis.
