On 14.12.2016 13:58, Bálint Réczey wrote: > Hi All, > > 2016-11-06 13:20 GMT+01:00 Bálint Réczey <bal...@balintreczey.hu>: >> Hi Guillem, >> >> 2016-10-27 23:49 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: >>> Hi, >>> >>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey <bal...@balintreczey.hu>: >>>> Hi, >>>> >>>> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guil...@debian.org>: >>>>> Hi! >>>>> >>>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote: >>>>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures >>>>>> where PIE is enabled by default. I think enabling bindnow from dpkg >>>>>> would be better through the hardening flags because packages could >>>>>> disable it in a nicer and already established way. >>>>> >>>>> Hmm, I don't get why bindnow was enabled by default in gcc, while >>>>> relro (I'd assume) is not enabled by default, or is that enabled by >>>>> default now too? >>>> >>>> Default relro is enabled only on Ubuntu among other flags. Enabling >>>> bindnow was Matthias' change and we did not discuss it in advance. >>>> >>>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134 >>>> >>>>> >>>>> IMO either relro + bindnow should be enabled in gcc, or neither >>>>> should. I'm fine either way, but I find having a hardened compiler >>>>> is actually good, because it gives also hardened output for >>>>> non-packaged builds! >>>> >>>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW. >>>> In the original patches I wanted to follow Debian's practice of setting >>>> flags from dpkg, but there are pros and cons on each side. >>>> Setting relro + bindnow in GCC probably results less FTBS-s in packages >>>> where flags are not passed properly, while it makes harder to disable >>>> the flags from d/rules. >>>> >>>> I would like to see bindnow enabled in Stretch and the first phase of >>>> the freeze is near. Could you two (Matthias and Guillem) please find the >>>> variant which would please both of you? >>> >>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it >>> seems dpkg can set both. >> >> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you >> for that. >> Is there any particular reason for not enabling bindnow as well? >> >> Do you plan enabling it for Stretch? > > I have uploaded a fixed package with the attached patch to DELAYED/10.
that enables bindnow on any architecture whether pie is enabled or not. is this intended? Matthias
