Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-08-22 Thread Bálint Réczey
Hi All, 2016-05-28 23:16 GMT+02:00 Bálint Réczey : > Hi, > > 2016-05-18 2:21 GMT+02:00 Guillem Jover : >> On Tue, 2016-05-17 at 12:08:09 +0200, Matthias Klose wrote: >>> I'm not a fan myself for turning on hardening flags in the compiler itself, >>> but

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-07-03 Thread Sam Hartman
> "Guillem" == Guillem Jover writes: >> I agree that it would be the easier way and I also tried building >> packages with patched GCC 5 setting PIE as default with success, >> but we have a CTTE decision which says that we should set >> hardening flags

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-28 Thread Bálint Réczey
Hi, 2016-05-18 2:21 GMT+02:00 Guillem Jover : > On Tue, 2016-05-17 at 12:08:09 +0200, Matthias Klose wrote: >> I'm not a fan myself for turning on hardening flags in the compiler itself, >> but if you do that, then dpkg issues like https://bugs.debian.org/823869 >> need to be

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-28 Thread Bálint Réczey
Hi, 2016-05-16 13:09 GMT+02:00 Christoph Egger : > Hi! > > Iustin Pop writes: >> - that bug seems to have been opened in the context of custom patches to >> GCC, back in 2009-2012 >> - the CTTE seems to have made an informal decision (see last update >>

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-18 Thread Christoph Egger
Hi! Iustin Pop writes: > - that bug seems to have been opened in the context of custom patches to > GCC, back in 2009-2012 > - the CTTE seems to have made an informal decision (see last update > #272) on that topic And most importantly - the tech-ctte primarily refused

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-17 Thread Guillem Jover
On Tue, 2016-05-17 at 12:08:09 +0200, Matthias Klose wrote: > I'm not a fan myself for turning on hardening flags in the compiler itself, > but if you do that, then dpkg issues like https://bugs.debian.org/823869 > need to be addressed (whether all obscure build systems picking these up, or >

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-17 Thread Guillem Jover
Hi! On Sun, 2016-05-15 at 21:45:55 +0200, Bálint Réczey wrote: > 2016-05-15 20:49 GMT+02:00 Niels Thykier : > > Bálint Réczey: > >> I think making PIE and bindnow default in dpkg (at least for amd64) would > >> be > >> perfect release goals for Stretch. > > > > I support the

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-17 Thread Matthias Klose
On 15.05.2016 23:10, Iustin Pop wrote: On 2016-05-15 21:45:55, Bálint Réczey wrote: Hi Niels, 2016-05-15 20:49 GMT+02:00 Niels Thykier : Bálint Réczey: Hi, [...] Hi, I think making PIE and bindnow default in dpkg (at least for amd64) would be perfect release goals

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-17 Thread Bastien Roucaries
Le 15 mai 2016 20:49:38 GMT+02:00, Niels Thykier a écrit : >Bálint Réczey: >> Hi, >> >> [...] >> > >Hi, > >> I think making PIE and bindnow default in dpkg (at least for amd64) >would be >> perfect release goals for Stretch. >> > >I support the end goal, but I suspect we

reproducible builds + PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-16 Thread Holger Levsen
On Sun, May 15, 2016 at 08:13:19PM +0200, Bálint Réczey wrote: > I think the next step could be an archive rebuild with the changed defaults I assume you are talking about a test rebuild here… first, as a next step. I'm replying here now about the "real rebuilds" coming later: reproducible

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-15 Thread Iustin Pop
On 2016-05-15 21:45:55, Bálint Réczey wrote: > Hi Niels, > > 2016-05-15 20:49 GMT+02:00 Niels Thykier : > > Bálint Réczey: > >> Hi, > >> > >> [...] > >> > > > > Hi, > > > >> I think making PIE and bindnow default in dpkg (at least for amd64) would > >> be > >> perfect release

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-15 Thread Dimitri John Ledkov
On 15 May 2016 at 19:49, Niels Thykier wrote: > Bálint Réczey: >> Hi, >> >> [...] >> > > Hi, > >> I think making PIE and bindnow default in dpkg (at least for amd64) would be >> perfect release goals for Stretch. >> > > I support the end goal, but I suspect we should enable PIE

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-15 Thread Bálint Réczey
Hi Niels, 2016-05-15 20:49 GMT+02:00 Niels Thykier : > Bálint Réczey: >> Hi, >> >> [...] >> > > Hi, > >> I think making PIE and bindnow default in dpkg (at least for amd64) would be >> perfect release goals for Stretch. >> > > I support the end goal, but I suspect we should

Re: PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-15 Thread Niels Thykier
Bálint Réczey: > Hi, > > [...] > Hi, > I think making PIE and bindnow default in dpkg (at least for amd64) would be > perfect release goals for Stretch. > I support the end goal, but I suspect we should enable PIE by default via GCC-6's new configure switch[1]. Assuming it does what I hope,

PIE + bindnow for Stretch?(Re: Time to reevaluate the cost of -fPIC?)

2016-05-15 Thread Bálint Réczey
Hi, 2016-05-15 4:11 GMT+02:00 Dimitri John Ledkov : > On 14 May 2016 at 21:12, Niels Thykier wrote: >> Marco d'Itri: >>> On May 03, Josh Triplett wrote: >>> While this doesn't make PIC absolutely free, it does eliminate almost