From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C4B20139694 for ; Tue, 9 May 2017 21:18:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8F67A21C1CF; Tue, 9 May 2017 21:18:27 +0000 (UTC) Received: from smtp.gentoo.org (mail.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 44F4921C08C for ; Tue, 9 May 2017 21:18:27 +0000 (UTC) Received: from pc1 (dslb-088-073-095-074.088.073.pools.vodafone-ip.de [88.73.95.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: hanno) by smtp.gentoo.org (Postfix) with ESMTPSA id C0018340DF9; Tue, 9 May 2017 21:18:25 +0000 (UTC) Date: Tue, 9 May 2017 23:18:20 +0200 From: Hanno =?UTF-8?B?QsO2Y2s=?= To: Matthias Maier Cc: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp" Message-ID: <20170509231820.6228c56f@pc1> In-Reply-To: <87k25p92d3.fsf@kestrel.kyomu.43-1.org> References: <874lwu9c13.fsf@kestrel.kyomu.43-1.org> <20170509221021.31468d6f@gentoo.org> <87k25p92d3.fsf@kestrel.kyomu.43-1.org> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 7261461f-acc3-4c27-9abb-d5f7b767a244 X-Archives-Hash: d5310b3be7aa6c79f53cc92cc74223a9 Hi, On Tue, 09 May 2017 15:55:36 -0500 Matthias Maier wrote: > Well, Alexis certainly makes a strong point. Breaking installed static > archives by changing a use flag shouldn't be as easy as changing a > useflag. So we might simply use.force the pie use flag depending on > hardened/non-hardened profiles. While I understand that enabling pie requires some more planning to avoid breakage, I hope this is not the final solution we aim for. I really think it's about time that pie becomes the default in Gentoo. pie is required for working ASLR, which almost every other OS out there has these days. In recent years also Fedora, Ubuntu and lately Debian switched it on by default. I really think this should be a default security setting, not something that only lives in hardened. --=20 Hanno B=C3=B6ck https://hboeck.de/ mail/jabber: hanno@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42