Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
> Has anyone checked 32-bit systems? "emerge -pv =sys-devel/gcc-6.3.0" > on a 2008 Core2duo 32-bit install (my GCC 6.3.0 testbed) shows "(-pie)". > I read that as the "pie" USE flag being hard-masked out. On my 64-bit > desktop, "pie" is the default. Yes, we are aware of this. Unfortunately, determining the course of action took a bit of time. Will be fixed with a small profile update within the next 24h. Best, Matthias
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
On Tue, May 09, 2017 at 06:58:42PM -0500, Matthias Maier wrote > This is a reworded news item (assuming we proceed with the plan to > default-enable USE=pie). Suggestions for improving the emerge command to > fix static archives is highly welcomed. > > Matthias > > > > Title: GCC 6 defaults to USE="pie ssp" > Author: Matthias Maier> Content-Type: text/plain > Posted: 2017-05-09 > Revision: 1 > News-Item-Format: 1.0 > Display-If-Installed: >=sys-devel/gcc-6.3.0 > > In Gentoo, several GCC features can be default disabled or enabled > via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already > enabled default SSP [1]. Since the PIE patchset for default position > independent executable support was integrated upstream [2,3], starting > with gcc-6.3 we are also enabling PIE by default (via a default-enabled > use-flag pie) in regular (non-hardened) profiles. Has anyone checked 32-bit systems? "emerge -pv =sys-devel/gcc-6.3.0" on a 2008 Core2duo 32-bit install (my GCC 6.3.0 testbed) shows "(-pie)". I read that as the "pie" USE flag being hard-masked out. On my 64-bit desktop, "pie" is the default. -- Walter Dnes I don't run "desktop environments"; I run useful applications
Re: New profiles for default-pie transition (was: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2)
On Wed, 10 May 2017 15:29:19 +0200 "Andreas K. Huettel"wrote: > * generate a new set of profiles 17.0 where it's package.use.forced > * tell people they may have to rebuild world when they switch Do we really need to rebuild world? From what I understand problems arise if we have packages installing static libraries that aren't built position independent. However that's only a small fraction of packages and we should be easily able to detect them. Can't we just provide a small script or bash oneliner that will rebuild all affected packages? (other than that I think the profile plan sounds reasonable) -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
New profiles for default-pie transition (was: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2)
Am Mittwoch, 10. Mai 2017, 13:58:56 CEST schrieb Dirkjan Ochtman: > On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrandwrote: > > Sounds like a reasonable action plan. The consequences of such a change > > definitely seems to be sufficiently high to merit a proper migration > > plan which doesn't seem to have been established at this point. Whether > > that can be added to a later point with gcc6 (e.g by adding a new > > profile, or a later point release) I don't have strong opinions on, but > > there should be a plan and proper overview of the consequences. > > Yeah, I think I agree. From the discussions so far, I think that we > should definitely aim for making pie the default for everyone (on > arches where it makes sense), but doing it in the gcc-6 now which has > seen only a short period of testing so far seems a bit hasty based on > data from the messages that I've seen in these threads so far. Actually the idea I like best so far is Jason's profile suggestion. * package.use.mask gcc[pie] in the 13.0 profiles * generate a new set of profiles 17.0 where it's package.use.forced * tell people they may have to rebuild world when they switch -> This would also give us some time to discuss what other changes we might make with the transition to the new profiles. -> Also, this means the transition is independent of gcc release timing. (We just need to be careful since hardened also inherits 13.0, so the setting must be overridden there. As far as I can see that's already done there though.) -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, perl, libreoffice)
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrandwrote: > Sounds like a reasonable action plan. The consequences of such a change > definitely seems to be sufficiently high to merit a proper migration > plan which doesn't seem to have been established at this point. Whether > that can be added to a later point with gcc6 (e.g by adding a new > profile, or a later point release) I don't have strong opinions on, but > there should be a plan and proper overview of the consequences. Yeah, I think I agree. From the discussions so far, I think that we should definitely aim for making pie the default for everyone (on arches where it makes sense), but doing it in the gcc-6 now which has seen only a short period of testing so far seems a bit hasty based on data from the messages that I've seen in these threads so far. Cheers, Dirkjan
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
On 05/10/2017 09:52 AM, Alexis Ballier wrote: > On Tue, 09 May 2017 18:58:42 -0500 > Matthias Maierwrote: > >> This is a reworded news item (assuming we proceed with the plan to >> default-enable USE=pie). Suggestions for improving the emerge command >> to fix static archives is highly welcomed. >> > > Really, I think the slot to have pie for gcc 6 has been missed by > default-enabling it only recently. We should aim for gcc 7 at least and > have proper testing. > > And add a few safety nets: A portage warning when installing non-pie > binaries, something that dies with FEATURES=strict or stricter, like > the textrel one we have. That is to avoid the quick n dirty > 'append-ldflags -no-pie' that makes the whole thing about forcing pie > questionable. If possible, detect static archives that have relocations > too. > > Ideally provide a system scanning tool for the above too. > > > After a few months of masked gcc7 like that we'll have enough data to > decide on a proper plan. It'll probably be good to get QA in the loop > and make this a QA goal too. > Sounds like a reasonable action plan. The consequences of such a change definitely seems to be sufficiently high to merit a proper migration plan which doesn't seem to have been established at this point. Whether that can be added to a later point with gcc6 (e.g by adding a new profile, or a later point release) I don't have strong opinions on, but there should be a plan and proper overview of the consequences. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
On Tue, 09 May 2017 18:58:42 -0500 Matthias Maierwrote: > This is a reworded news item (assuming we proceed with the plan to > default-enable USE=pie). Suggestions for improving the emerge command > to fix static archives is highly welcomed. > Really, I think the slot to have pie for gcc 6 has been missed by default-enabling it only recently. We should aim for gcc 7 at least and have proper testing. And add a few safety nets: A portage warning when installing non-pie binaries, something that dies with FEATURES=strict or stricter, like the textrel one we have. That is to avoid the quick n dirty 'append-ldflags -no-pie' that makes the whole thing about forcing pie questionable. If possible, detect static archives that have relocations too. Ideally provide a system scanning tool for the above too. After a few months of masked gcc7 like that we'll have enough data to decide on a proper plan. It'll probably be good to get QA in the loop and make this a QA goal too.
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
This is a reworded news item (assuming we proceed with the plan to default-enable USE=pie). Suggestions for improving the emerge command to fix static archives is highly welcomed. Matthias Title: GCC 6 defaults to USE="pie ssp" Author: Matthias MaierContent-Type: text/plain Posted: 2017-05-09 Revision: 1 News-Item-Format: 1.0 Display-If-Installed: >=sys-devel/gcc-6.3.0 In Gentoo, several GCC features can be default disabled or enabled via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already enabled default SSP [1]. Since the PIE patchset for default position independent executable support was integrated upstream [2,3], starting with gcc-6.3 we are also enabling PIE by default (via a default-enabled use-flag pie) in regular (non-hardened) profiles. [Additionally, following Gentoo policies, the default-off use-flags nopie (only present in Hardened) and nossp are replaced starting with gcc-6 by default-on use-flags pie and ssp.] Be advised that switching from an older version to GCC 6 will enable the PIE feature by default. This should not cause many problems for packages involving shared libraries. However, static archives need to be rebuilt (otherwise final linkage will fail [4]. You can rebuild affected packages containing static archives via # emerge --exclude 'dev-haskell/*' -1 $(find /lib* /usr/lib* -type f -name "*.a") [1] https://www.gentoo.org/support/news-items/2014-06-15-gcc48_ssp.html [2] https://gcc.gnu.org/gcc-6/changes.html [3] A big thanks to all developers and members of the Gentoo community that made upstreaming the pie patchset and other hardening options possible! [4] A typical link error reads relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC signature.asc Description: PGP signature