1 |
On Tue, May 9, 2017, at 15:10 CDT, Alexis Ballier <aballier@g.o> wrote: |
2 |
|
3 |
> There is a *huge* difference between: |
4 |
> <flag name="nopie">Disable PIE support (NOT FOR GENERAL USE)</flag> |
5 |
> and the negation of: |
6 |
> pie - Build programs as Position Independent Executables (a security |
7 |
> hardening technique) |
8 |
> |
9 |
> Enabling the latter builds *everything* as PIE. |
10 |
|
11 |
Yes. |
12 |
|
13 |
> Do you realize that this breaks linking against about any static lib |
14 |
> ever built before upgrading ? And I'm not even considering people |
15 |
> toggling the flag. |
16 |
|
17 |
Yes, I am aware of this. |
18 |
|
19 |
|
20 |
|
21 |
On Tue, May 9, 2017, at 15:27 CDT, Mike Gilbert <floppym@g.o> wrote: |
22 |
|
23 |
> I disagree. We might want to default the "pie" USE flag differently |
24 |
> depending on the profile, but there's no need to force it. |
25 |
|
26 |
Well, Alexis certainly makes a strong point. Breaking installed static |
27 |
archives by changing a use flag shouldn't be as easy as changing a |
28 |
useflag. So we might simply use.force the pie use flag depending on |
29 |
hardened/non-hardened profiles. |
30 |
|
31 |
|
32 |
I'll follow up with a proposed profile change forcing -pie for non |
33 |
hardened and pie for hardened profiles (instead of this news item). |
34 |
|
35 |
I have one question, though: For what arches do we have to disable pie? |
36 |
(The current patchset simply enables all.) |
37 |
|
38 |
Best, |
39 |
Matthias |