1 |
On Wed, 10 May 2017 01:44:06 +0200 |
2 |
"Andreas K. Huettel" <dilfridge@g.o> wrote: |
3 |
> > |
4 |
> > While I believe it might be a bit too early to default-enable pie, |
5 |
> > why not, but the news item *must* contain instructions that people |
6 |
> > should 'emerge -e world' in order for it to work. |
7 |
> > |
8 |
> > Also, I don't believe default-pie should even be a useflag. It's |
9 |
> > always been forced-on for hardened and forced-off for non-hardened |
10 |
> > I think. Switching between the two types of profiles has always |
11 |
> > been difficult because of that kind of differences. I strongly |
12 |
> > believe this should stay that way (that is: this cant be toggled by |
13 |
> > a simple useflag). |
14 |
> |
15 |
> Well... Hanno and Matthias said Gentoo is about the only place where |
16 |
> it isn't on by default. So why are we "early", and why not just force |
17 |
> it on for everybody? |
18 |
|
19 |
|
20 |
We're early because it has not been prepared. It has just been toggled |
21 |
to default on *after* unmasking gcc-6 without even a tinderbox run. We |
22 |
have no real idea of the fallout. |
23 |
|
24 |
|
25 |
As for Hanno's claim that others are doing it, well, I'd say that's a |
26 |
really good opportunity to have a look at their findings: |
27 |
|
28 |
Fedora (which did the emerge -e world thing): |
29 |
https://fedoraproject.org/wiki/Changes/Harden_All_Packages |
30 |
|
31 |
From the tracker: |
32 |
https://bugzilla.redhat.com/show_bug.cgi?id=1199775 |
33 |
|
34 |
We can find a few runtime failures: |
35 |
|
36 |
https://bugzilla.redhat.com/show_bug.cgi?id=956868 (no idea) |
37 |
https://bugzilla.redhat.com/show_bug.cgi?id=952946 (requires kernel |
38 |
4.1+) |
39 |
https://bugzilla.redhat.com/show_bug.cgi?id=1238804 (building perl with |
40 |
pie seems to make some perl packages fail at runtime) |
41 |
https://bugzilla.redhat.com/show_bug.cgi?id=1228570 (mono borkage) |
42 |
|
43 |
|
44 |
Ubuntu: |
45 |
|
46 |
https://wiki.ubuntu.com/SteveBeattie/PIENotes |
47 |
|
48 |
https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8315122 |
49 |
(Qt checking type of an executable, which changes after enabling pie) |
50 |
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=18780 (emacs segfaults |
51 |
with pie, has to use -no-pie) |
52 |
|
53 |
|
54 |
But probably the debian transition is the best to look for since they'd |
55 |
be the ones with closest release methodology as us (with |
56 |
testing/unstable): |
57 |
|
58 |
https://wiki.debian.org/Hardening/PIEByDefaultTransition |
59 |
|
60 |
The first test build finished with 1188 packages failing |
61 |
|
62 |
|
63 |
|
64 |
|
65 |
.... |
66 |
|
67 |
So, yes, I do believe we need a more serious plan to enable pie by |
68 |
default :) |
69 |
|
70 |
|
71 |
Alexis. |