Package: dpkg-dev
Version: 1.21.22
Severity: normal
X-Debbugs-Cc: debian-al...@lists.debian.org, debian-i...@lists.debian.org
[ Cc set to debian-alpha@ and debian-ia64@ since they are most affected ]
Since stretch all release architectures are using PIE by default,
and all future release architectures (including riscv64) will also
use PIE by default.
Many packages in Debian are building with hardening=+all, and the
effect regarding PIE is "enable PIE for this package on some obscure
ports architectures that don't have it enabled by default" which is
unlikely to be what the maintainer intended.
There are also some pre-stretch "hardening=+pie" left
in some packages.
There are some problems with this:
1. PIE should either be default or not be used
I suspect x32 might be able to default to PIE without problems
(there might just not be enough interest left to change the default).
On alpha the toolchain has already become quite brittle
with frequent issues like (reproducible) linker segfaults,
any variations that affects the toolchain are bad.
It is for the port maintainers to decide whether or not PIE
is considered stable on a port, and accordingly either make
it default (which also avoids the other issues below) or not.
It is clear that a non-PIE architecture would no longer be
considered suitable as release architecture.
2. It causes weird issues on undersupported architectures
gluegen2 passes LDFLAGS to ld instead of gcc.
Several packages have relocation errors only on affected
architectures.
...
Such issues could be debugged and fixed, but in practice
trying to handle such issues that happen only with
pie-{compile,link}.spec creates additional work that frustrates
the few people keeping these non-release architectures alive.
The lowest effort fix would be to patch debian/rules of affected
packages to disable hardening=+pie on affected architectures,
but that would still be spending time on working around a problem
that shouldn't exist.
3. It breaks some cases of static linking
Linking a package with hardening=+all against a static library
from a package not using hardening=+all cannot work on the
affected architectures.
Static linking is relatively rare, but I remember requesting binNMUs
for static linking cases to fix FTBFS on release architectures when
the default changed before stretch.
Please drop pie-{compile,link}.spec, on the architectures
where it has any effect it is doing more harm than good.
Thanks
