1. Forum
  2. Usenet
  3. LINUX.DEBIAN.PORTS.X86-64

  • Enabling PIE by default for Stretch

    From Matthias Klose@21:1/5 to Niels Thykier on Fri Sep 30 18:40:01 2016
    [CCing porters, please also leave feedback in #835148 for non-release architectures]

    On 29.09.2016 21:39, Niels Thykier wrote:
    Hi,

    As brought up on the meeting last night, I think we should try to go for
    PIE by default in Stretch on all release architectures!
    * It is a substantial hardening feature
    * Upstream has vastly reduced the performance penalty for x86
    * The majority of all porters believe their release architecture is
    ready for it.
    * We have sufficient time to solve any issues or revert if it turns out
    to be too problematic.

    As agreed on during the [meeting], if there are no major concerns to
    this proposal in general within a week, I shall file a bug against GCC requesting PIE by default on all release architectures (with backing porters).

    please re-use #835148

    If there are only major concerns with individual architectures, I will simply exclude said architectures in the "PIE by default" request.

    * Deadline for major concerns: Fri, 7th of October 2016.

    Fall-out
    ========

    There will be some possible fall-out from this change:

    * There will be some FTBFS caused by some packages needing a rebuild
    before reverse dependencies can enable PIE. These are a subset of
    the bugs filed in the [pie+bindnow] build tests.

    * Some packages may not be ready for PIE. These will have to disable
    it per package. A notable case being ghc (#712228), where we can
    reuse the patch from Ubuntu to work around the issue.

    * A possible issue from Matthias was that no one has done a large scale
    "PIE by default" on "arm* mips*".

    * There was concern about whether the 32bit arm architectures would be
    notably affected by the PIE slow down (like x86 used to be).
    It is not measured, but two arm porters did mention a possible
    slowdown

    * It was questioned whether it made sense to invest time and effort in
    enabling PIE for architectures which would not be included in Buster
    (armel?). Personally, I do not see an issue, if the porters are
    ready to put in the effort required.

    Thanks,
    ~Niels

    [meeting]: http://meetbot.debian.net/debian-release/2016/debian-release.2016-09-28-19.00.html

    [pie+bindnow]: https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906&users=balint%40balintreczey.hu;dist=unstable





    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)