From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 36622139694 for ; Wed, 10 May 2017 05:07:32 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 170EFE0CC6; Wed, 10 May 2017 05:07:25 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C06C4E0CB2 for ; Wed, 10 May 2017 05:07:24 +0000 (UTC) Received: from localhost (unknown [59.189.202.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: perfinion) by smtp.gentoo.org (Postfix) with ESMTPSA id E8BF0341694; Wed, 10 May 2017 05:07:22 +0000 (UTC) Date: Wed, 10 May 2017 13:07:05 +0800 From: Jason Zaman To: gentoo-dev@lists.gentoo.org Cc: Alexis Ballier Subject: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp" Message-ID: <20170510050619.GA22122@meriadoc.perfinion.com> References: <874lwu9c13.fsf@kestrel.kyomu.43-1.org> <20170509221021.31468d6f@gentoo.org> <3727511.NHHzH5hy2n@pinacolada> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3727511.NHHzH5hy2n@pinacolada> User-Agent: Mutt/1.5.24 (2015-08-30) X-Archives-Salt: ad35e91d-0125-4696-9f56-7066343a9ed7 X-Archives-Hash: 4c08b1b1a945a96be3d991ebe3ac65de On Wed, May 10, 2017 at 01:44:06AM +0200, Andreas K. Huettel wrote: > Am Dienstag, 9. Mai 2017, 22:10:21 CEST schrieb Alexis Ballier: > > > > Do you realize that this breaks linking against about any static lib > > ever built before upgrading ? And I'm not even considering people > > toggling the flag. > > Toggling the flag is definitely bad. So it should be either on or off. > > > > > While I believe it might be a bit too early to default-enable pie, why > > not, but the news item *must* contain instructions that people should > > 'emerge -e world' in order for it to work. > > > > Also, I don't believe default-pie should even be a useflag. It's always > > been forced-on for hardened and forced-off for non-hardened I think. > > Switching between the two types of profiles has always been difficult > > because of that kind of differences. I strongly believe this should stay > > that way (that is: this cant be toggled by a simple useflag). > > > > Well... Hanno and Matthias said Gentoo is about the only place where it isn't > on by default. So why are we "early", and why not just force it on for > everybody? I just want to make sure im understanding this right, only .a files that were compiled without -pie will cause issues if you compile the later thing that uses the .a with -pie? So: 1) people on hardened profiles are going to be fine no matter what? 2) only packages that have .a files need to be rebuild? (not -e @world)? 3) .a are static libs for compiling static binaries right, so nothing will break at runtime from the change? only build failures? I definitley think everyone on gentoo should have PIE and SSP by default nowadays. Whats the status of -zrelro -znow on non-hardened? This might be the kind of thing where a new set of profiles is a good idea 1) hardened would force the flags on, 2) 13.0 non-hardened would force them off 3) 17.0 non-hardened would force them on and people have to rebuild when they change profiles Im not sure how the timing of the new profile would work? only make them once gcc-6 is stable so everyone does it at once? -- Jason