| 1 |
Hanno Böck <hanno@g.o> wrote: |
| 2 |
> I really think it's about time that pie becomes the default in Gentoo. |
| 3 |
|
| 4 |
Although I agree from a security perspective, I must warn that |
| 5 |
this is not realistic, currently: |
| 6 |
|
| 7 |
I am using gcc-6 since ages and tried to run a desktop with default pie |
| 8 |
for quite a while, but soon was forced to give up: |
| 9 |
|
| 10 |
There are simply too many package which fail to compile; |
| 11 |
this cannot even be recommended to early testers yet, not to speak |
| 12 |
about the wide public. |
| 13 |
|
| 14 |
The difficulty is not the static libraries |
| 15 |
(which except for embedded systems are hardly needed at all), |
| 16 |
but simply that too many projects are not prepared for this. |
| 17 |
|
| 18 |
The main problem is that it is not easy (as it was for the hardened gcc) |
| 19 |
to switch the compiler profiles if you have a non-working project: |
| 20 |
If a project fails to emerge and does not honour CFLAGS throughout - |
| 21 |
there simply are quite a lot of projects which do neither - |
| 22 |
the user either has to write/get some patch manually or he has to |
| 23 |
re-emerge gcc just in order to compile/update that single project. |
| 24 |
|
| 25 |
For instance, you cannot even compile the kernel without special patches |
| 26 |
(which disable pie) if you use a gcc which default-enables pie. |
| 27 |
|
| 28 |
Thus, unless practically all upstream projects deal with pie or unless |
| 29 |
gentoo manages to get a huge group of persons which patches all new releases |
| 30 |
of upstream projects to this purpose very quickly - both is not realistic, |
| 31 |
of course - using pie by default is a no-go for "normal" systems: |
| 32 |
Perhaps some very hardened servers with only very few packages and |
| 33 |
a very active administrator can afford to do this, but not "normal" |
| 34 |
users who run a desktop. |
Archives