Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Matthias Maier]

>   Has anyone checked 32-bit systems?  "emerge -pv =sys-devel/gcc-6.3.0"
> on a 2008 Core2duo 32-bit install (my GCC 6.3.0 testbed) shows "(-pie)".
> I read that as the "pie" USE flag being hard-masked out.  On my 64-bit
> desktop, "pie" is the default.

Yes, we are aware of this. Unfortunately, determining the course of
action took a bit of time.

Will be fixed with a small profile update within the next 24h.

Best,
Matthias

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Walter Dnes]

On Tue, May 09, 2017 at 06:58:42PM -0500, Matthias Maier wrote
> This is a reworded news item (assuming we proceed with the plan to
> default-enable USE=pie). Suggestions for improving the emerge command to
> fix static archives is highly welcomed.
> 
> Matthias
> 
> 
> 
> Title: GCC 6 defaults to USE="pie ssp"
> Author: Matthias Maier 
> Content-Type: text/plain
> Posted: 2017-05-09
> Revision: 1
> News-Item-Format: 1.0
> Display-If-Installed: >=sys-devel/gcc-6.3.0
> 
> In Gentoo, several GCC features can be default disabled or enabled 
> via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already
> enabled default SSP [1]. Since the PIE patchset for default position 
> independent executable support was integrated upstream [2,3], starting 
> with gcc-6.3 we are also enabling PIE by default (via a default-enabled 
> use-flag pie) in regular (non-hardened) profiles.

  Has anyone checked 32-bit systems?  "emerge -pv =sys-devel/gcc-6.3.0"
on a 2008 Core2duo 32-bit install (my GCC 6.3.0 testbed) shows "(-pie)".
I read that as the "pie" USE flag being hard-masked out.  On my 64-bit
desktop, "pie" is the default.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

Re: New profiles for default-pie transition (was: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2)

[Hanno Böck]

On Wed, 10 May 2017 15:29:19 +0200
"Andreas K. Huettel"  wrote:

> * generate a new set of profiles 17.0 where it's package.use.forced
> * tell people they may have to rebuild world when they switch

Do we really need to rebuild world?
From what I understand problems arise if we have packages installing
static libraries that aren't built position independent.
However that's only a small fraction of packages and we should be
easily able to detect them.

Can't we just provide a small script or bash oneliner that will rebuild
all affected packages?

(other than that I think the profile plan sounds reasonable)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

New profiles for default-pie transition (was: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2)

[Andreas K. Huettel]

Am Mittwoch, 10. Mai 2017, 13:58:56 CEST schrieb Dirkjan Ochtman:
> On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrand  
wrote:
> > Sounds like a reasonable action plan. The consequences of such a change
> > definitely seems to be sufficiently high to merit a proper migration
> > plan which doesn't seem to have been established at this point. Whether
> > that can be added to a later point with gcc6 (e.g by adding a new
> > profile, or a later point release) I don't have strong opinions on, but
> > there should be a plan and proper overview of the consequences.
> 
> Yeah, I think I agree. From the discussions so far, I think that we
> should definitely aim for making pie the default for everyone (on
> arches where it makes sense), but doing it in the gcc-6 now which has
> seen only a short period of testing so far seems a bit hasty based on
> data from the messages that I've seen in these threads so far.

Actually the idea I like best so far is Jason's profile suggestion. 

* package.use.mask gcc[pie] in the 13.0 profiles

* generate a new set of profiles 17.0 where it's package.use.forced
* tell people they may have to rebuild world when they switch

-> This would also give us some time to discuss what other changes we might 
make with the transition to the new profiles. 

-> Also, this means the transition is independent of gcc release timing.

(We just need to be careful since hardened also inherits 13.0, so the setting 
must be overridden there. As far as I can see that's already done there 
though.)

-- 
Andreas K. Hüttel
dilfri...@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Dirkjan Ochtman]

On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrand  wrote:
> Sounds like a reasonable action plan. The consequences of such a change
> definitely seems to be sufficiently high to merit a proper migration
> plan which doesn't seem to have been established at this point. Whether
> that can be added to a later point with gcc6 (e.g by adding a new
> profile, or a later point release) I don't have strong opinions on, but
> there should be a plan and proper overview of the consequences.

Yeah, I think I agree. From the discussions so far, I think that we
should definitely aim for making pie the default for everyone (on
arches where it makes sense), but doing it in the gcc-6 now which has
seen only a short period of testing so far seems a bit hasty based on
data from the messages that I've seen in these threads so far.

Cheers,

Dirkjan

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Kristian Fiskerstrand]

On 05/10/2017 09:52 AM, Alexis Ballier wrote:
> On Tue, 09 May 2017 18:58:42 -0500
> Matthias Maier  wrote:
> 
>> This is a reworded news item (assuming we proceed with the plan to
>> default-enable USE=pie). Suggestions for improving the emerge command
>> to fix static archives is highly welcomed.
>>
> 
> Really, I think the slot to have pie for gcc 6 has been missed by
> default-enabling it only recently. We should aim for gcc 7 at least and
> have proper testing.
> 
> And add a few safety nets: A portage warning when installing non-pie
> binaries, something that dies with FEATURES=strict or stricter, like
> the textrel one we have. That is to avoid the quick n dirty
> 'append-ldflags -no-pie' that makes the whole thing about forcing pie
> questionable. If possible, detect static archives that have relocations
> too.
> 
> Ideally provide a system scanning tool for the above too.
> 
> 
> After a few months of masked gcc7 like that we'll have enough data to
> decide on a proper plan. It'll probably be good to get QA in the loop
> and make this a QA goal too.
> 

Sounds like a reasonable action plan. The consequences of such a change
definitely seems to be sufficiently high to merit a proper migration
plan which doesn't seem to have been established at this point. Whether
that can be added to a later point with gcc6 (e.g by adding a new
profile, or a later point release) I don't have strong opinions on, but
there should be a plan and proper overview of the consequences.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Alexis Ballier]

On Tue, 09 May 2017 18:58:42 -0500
Matthias Maier  wrote:

> This is a reworded news item (assuming we proceed with the plan to
> default-enable USE=pie). Suggestions for improving the emerge command
> to fix static archives is highly welcomed.
>

Really, I think the slot to have pie for gcc 6 has been missed by
default-enabling it only recently. We should aim for gcc 7 at least and
have proper testing.

And add a few safety nets: A portage warning when installing non-pie
binaries, something that dies with FEATURES=strict or stricter, like
the textrel one we have. That is to avoid the quick n dirty
'append-ldflags -no-pie' that makes the whole thing about forcing pie
questionable. If possible, detect static archives that have relocations
too.

Ideally provide a system scanning tool for the above too.


After a few months of masked gcc7 like that we'll have enough data to
decide on a proper plan. It'll probably be good to get QA in the loop
and make this a QA goal too.

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Matthias Maier]

This is a reworded news item (assuming we proceed with the plan to
default-enable USE=pie). Suggestions for improving the emerge command to
fix static archives is highly welcomed.

Matthias



Title: GCC 6 defaults to USE="pie ssp"
Author: Matthias Maier 
Content-Type: text/plain
Posted: 2017-05-09
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: >=sys-devel/gcc-6.3.0

In Gentoo, several GCC features can be default disabled or enabled 
via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already
enabled default SSP [1]. Since the PIE patchset for default position 
independent executable support was integrated upstream [2,3], starting 
with gcc-6.3 we are also enabling PIE by default (via a default-enabled 
use-flag pie) in regular (non-hardened) profiles.

[Additionally, following Gentoo policies, the default-off use-flags
nopie (only present in Hardened) and nossp are replaced starting with
gcc-6 by default-on use-flags pie and ssp.]

Be advised that switching from an older version to GCC 6 will enable the
PIE feature by default. This should not cause many problems for packages
involving shared libraries. However, static archives need to be rebuilt
(otherwise final linkage will fail [4]. You can rebuild affected packages
containing static archives via

  # emerge --exclude 'dev-haskell/*' -1 $(find /lib* /usr/lib* -type f -name 
"*.a")

[1] https://www.gentoo.org/support/news-items/2014-06-15-gcc48_ssp.html
[2] https://gcc.gnu.org/gcc-6/changes.html
[3] A big thanks to all developers and members of the Gentoo community that
made upstreaming the pie patchset and other hardening options possible!
[4] A typical link error reads
  relocation R_X86_64_32 against `.rodata.str1.1' can not be used when
  making a shared object; recompile with -fPIC


signature.asc
Description: PGP signature