| 1 |
On Wed, 10 May 2017 01:44:06 +0200 |
| 2 |
"Andreas K. Huettel" <dilfridge@g.o> wrote: |
| 3 |
> > |
| 4 |
> > While I believe it might be a bit too early to default-enable pie, |
| 5 |
> > why not, but the news item *must* contain instructions that people |
| 6 |
> > should 'emerge -e world' in order for it to work. |
| 7 |
> > |
| 8 |
> > Also, I don't believe default-pie should even be a useflag. It's |
| 9 |
> > always been forced-on for hardened and forced-off for non-hardened |
| 10 |
> > I think. Switching between the two types of profiles has always |
| 11 |
> > been difficult because of that kind of differences. I strongly |
| 12 |
> > believe this should stay that way (that is: this cant be toggled by |
| 13 |
> > a simple useflag). |
| 14 |
> |
| 15 |
> Well... Hanno and Matthias said Gentoo is about the only place where |
| 16 |
> it isn't on by default. So why are we "early", and why not just force |
| 17 |
> it on for everybody? |
| 18 |
|
| 19 |
|
| 20 |
We're early because it has not been prepared. It has just been toggled |
| 21 |
to default on *after* unmasking gcc-6 without even a tinderbox run. We |
| 22 |
have no real idea of the fallout. |
| 23 |
|
| 24 |
|
| 25 |
As for Hanno's claim that others are doing it, well, I'd say that's a |
| 26 |
really good opportunity to have a look at their findings: |
| 27 |
|
| 28 |
Fedora (which did the emerge -e world thing): |
| 29 |
https://fedoraproject.org/wiki/Changes/Harden_All_Packages |
| 30 |
|
| 31 |
From the tracker: |
| 32 |
https://bugzilla.redhat.com/show_bug.cgi?id=1199775 |
| 33 |
|
| 34 |
We can find a few runtime failures: |
| 35 |
|
| 36 |
https://bugzilla.redhat.com/show_bug.cgi?id=956868 (no idea) |
| 37 |
https://bugzilla.redhat.com/show_bug.cgi?id=952946 (requires kernel |
| 38 |
4.1+) |
| 39 |
https://bugzilla.redhat.com/show_bug.cgi?id=1238804 (building perl with |
| 40 |
pie seems to make some perl packages fail at runtime) |
| 41 |
https://bugzilla.redhat.com/show_bug.cgi?id=1228570 (mono borkage) |
| 42 |
|
| 43 |
|
| 44 |
Ubuntu: |
| 45 |
|
| 46 |
https://wiki.ubuntu.com/SteveBeattie/PIENotes |
| 47 |
|
| 48 |
https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8315122 |
| 49 |
(Qt checking type of an executable, which changes after enabling pie) |
| 50 |
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=18780 (emacs segfaults |
| 51 |
with pie, has to use -no-pie) |
| 52 |
|
| 53 |
|
| 54 |
But probably the debian transition is the best to look for since they'd |
| 55 |
be the ones with closest release methodology as us (with |
| 56 |
testing/unstable): |
| 57 |
|
| 58 |
https://wiki.debian.org/Hardening/PIEByDefaultTransition |
| 59 |
|
| 60 |
The first test build finished with 1188 packages failing |
| 61 |
|
| 62 |
|
| 63 |
|
| 64 |
|
| 65 |
.... |
| 66 |
|
| 67 |
So, yes, I do believe we need a more serious plan to enable pie by |
| 68 |
default :) |
| 69 |
|
| 70 |
|
| 71 |
Alexis. |
Archives