[gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Matthias Maier]

[-- Attachment #1: Type: text/plain, Size: 1522 bytes --]

Title: GCC 6 defaults to USE="pie ssp"
Author: Matthias Maier <tamiko@gentoo.org>
Content-Type: text/plain
Posted: 2017-05-07
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: >=sys-devel/gcc-6.3.0
Display-If-Keyword: amd64

In Gentoo, several GCC features can be default disabled or enabled 
via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already
enabled default SSP [1]. Since the PIE patchset for default position 
independent executable support was integrated upstream [2,3], starting 
with gcc-6.3 we are also enabling PIE by default (via a default-enabled 
use-flag pie) in regular (non-hardened) profiles.

[Additionally, following Gentoo policies, the default-off use-flags 
nopie (only present in Hardened) and nossp are replaced starting with 
gcc-6 by default-on use-flags pie and ssp.]

Be advised that switching from an older version to GCC 6 will enable the 
PIE feature by default. This should not cause many problems, but it may 
be necessary to recompile parts of your userland. An indicator are 
linker errors of the form [4]

  relocation R_X86_64_32 against `.rodata.str1.1' can not be used when
  making a shared object; recompile with -fPIC

[1] https://www.gentoo.org/support/news-items/2014-06-15-gcc48_ssp.html
[2] https://gcc.gnu.org/gcc-6/changes.html
[3] A big thanks to all developers and members of the Gentoo community that
    made upstreaming the pie patchset and other hardening options possible!
[4] https://bugs.gentoo.org/617698

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 850 bytes --]

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Alexis Ballier]

On Tue, 09 May 2017 12:26:48 -0500
Matthias Maier <tamiko@gentoo.org> wrote:

> Title: GCC 6 defaults to USE="pie ssp"
> Author: Matthias Maier <tamiko@gentoo.org>
> Content-Type: text/plain
> Posted: 2017-05-07
> Revision: 1
> News-Item-Format: 1.0
> Display-If-Installed: >=sys-devel/gcc-6.3.0
> Display-If-Keyword: amd64
> 
> In Gentoo, several GCC features can be default disabled or enabled 
> via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have
> already enabled default SSP [1]. Since the PIE patchset for default
> position independent executable support was integrated upstream
> [2,3], starting with gcc-6.3 we are also enabling PIE by default (via
> a default-enabled use-flag pie) in regular (non-hardened) profiles.
> 
> [Additionally, following Gentoo policies, the default-off use-flags 
> nopie (only present in Hardened) and nossp are replaced starting with 
> gcc-6 by default-on use-flags pie and ssp.]


There is a *huge* difference between:
 <flag name="nopie">Disable PIE support (NOT FOR GENERAL USE)</flag>
and the negation of:
 pie - Build programs as Position Independent Executables (a security
 hardening technique)

Enabling the latter builds *everything* as PIE.

> Be advised that switching from an older version to GCC 6 will enable
> the PIE feature by default. This should not cause many problems, but
> it may be necessary to recompile parts of your userland. An indicator
> are linker errors of the form [4]

Do you realize that this breaks linking against about any static lib
ever built before upgrading ? And I'm not even considering people
toggling the flag.

While I believe it might be a bit too early to default-enable pie, why
not, but the news item *must* contain instructions that people should
'emerge -e world' in order for it to work.

Also, I don't believe default-pie should even be a useflag. It's always
been forced-on for hardened and forced-off for non-hardened I think.
Switching between the two types of profiles has always been difficult
because of that kind of differences. I strongly believe this should stay
that way (that is: this cant be toggled by a simple useflag).

Bests,

Alexis.

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Mike Gilbert]

On Tue, May 9, 2017 at 4:10 PM, Alexis Ballier <aballier@gentoo.org> wrote:
> Also, I don't believe default-pie should even be a useflag. It's always
> been forced-on for hardened and forced-off for non-hardened I think.
> Switching between the two types of profiles has always been difficult
> because of that kind of differences. I strongly believe this should stay
> that way (that is: this cant be toggled by a simple useflag).

I disagree. We might want to default the "pie" USE flag differently
depending on the profile, but there's no need to force it.

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Chí-Thanh Christopher Nguyễn]

Mike Gilbert schrieb:
> I disagree. We might want to default the "pie" USE flag differently
> depending on the profile, but there's no need to force it.

I think we should force the pie USE flag on/off depending on the profile.

My proposal:
For all profiles except hardened, introduce a pie/nopie variant.
Deprecate the nopie profiles once enough packages build successfully 
(maybe request a tinderbox run?)
In the profile depreciation message, point to a document how to migrate 
to pie.

Setting pie default depending on GCC version is not a good idea IMO.

Best regards,
Chí-Thanh Christopher Nguyễn

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Matthias Maier]

On Tue, May  9, 2017, at 15:10 CDT, Alexis Ballier <aballier@gentoo.org> wrote:

> There is a *huge* difference between:
>  <flag name="nopie">Disable PIE support (NOT FOR GENERAL USE)</flag>
> and the negation of:
>  pie - Build programs as Position Independent Executables (a security
>  hardening technique)
>
> Enabling the latter builds *everything* as PIE.

Yes.

> Do you realize that this breaks linking against about any static lib
> ever built before upgrading ? And I'm not even considering people
> toggling the flag.

Yes, I am aware of this.



On Tue, May  9, 2017, at 15:27 CDT, Mike Gilbert <floppym@gentoo.org> wrote:

> I disagree. We might want to default the "pie" USE flag differently
> depending on the profile, but there's no need to force it.

Well, Alexis certainly makes a strong point. Breaking installed static
archives by changing a use flag shouldn't be as easy as changing a
useflag. So we might simply use.force the pie use flag depending on
hardened/non-hardened profiles.


I'll follow up with a proposed profile change forcing -pie for non
hardened and pie for hardened profiles (instead of this news item).

I have one question, though: For what arches do we have to disable pie?
(The current patchset simply enables all.)

Best,
Matthias

[gentoo-dev] [PATCH] profiles: Mask pie useflag for >=sys-devel/gcc-6

[Matthias Maier]

  - Mask sys-devel/gcc pie useflag globally in /base

  - Selectively unmask pie useflag for
      hardened/linux
      hardened/linux/musl
    profiles

  - Ensure pie useflag is forced for hardened profiles
---
 profiles/arch/amd64/package.use.mask                | 4 ----
 profiles/arch/base/package.use.mask                 | 4 ----
 profiles/base/package.use.mask                      | 4 ++++
 profiles/hardened/linux/musl/amd64/package.use.mask | 6 ------
 profiles/hardened/linux/musl/package.use.mask       | 4 ++++
 profiles/hardened/linux/musl/use.force              | 4 ++++
 profiles/hardened/linux/package.use.mask            | 4 ++++
 profiles/hardened/linux/use.force                   | 2 +-
 8 files changed, 17 insertions(+), 15 deletions(-)
 delete mode 100644 profiles/hardened/linux/musl/amd64/package.use.mask

diff --git a/profiles/arch/amd64/package.use.mask b/profiles/arch/amd64/package.use.mask
index 4548392..2fe5376 100644
--- a/profiles/arch/amd64/package.use.mask
+++ b/profiles/arch/amd64/package.use.mask
@@ -30,10 +30,6 @@ dev-lang/ocaml -spacetime
 # nvidia drivers are unmasked here
 media-video/ffmpeg -nvenc
 
-# Magnus Granberg <zorry@gentoo.org> (18 Jan 2017)
-# masked in base, unmask for amd64
->=sys-devel/gcc-6.3.0 -pie
-
 # Luke Dashjr <luke-jr+gentoobugs@utopios.org> (04 Jan 2017)
 # Assembly optimisations are supported on amd64 for all versions
 dev-libs/libsecp256k1 -asm
diff --git a/profiles/arch/base/package.use.mask b/profiles/arch/base/package.use.mask
index f2d3a9b..8442d97 100644
--- a/profiles/arch/base/package.use.mask
+++ b/profiles/arch/base/package.use.mask
@@ -18,10 +18,6 @@ media-video/ffmpeg nvenc
 # media-libs/raspberrypi-userland not keyworded
 media-video/motion mmal
 
-# Magnus Granberg <zorry@gentoo.org> (18 Jan 2017)
-# Mask it globally, unmask it on supported arch
->=sys-devel/gcc-6.2.0 pie
-
 # Luke Dashjr <luke-jr+gentoobugs@utopios.org> (04 Jan 2017)
 # Mask assembly optimisations that are platform-specific
 dev-libs/libsecp256k1 asm
diff --git a/profiles/base/package.use.mask b/profiles/base/package.use.mask
index 9f55b27..c8faec7 100644
--- a/profiles/base/package.use.mask
+++ b/profiles/base/package.use.mask
@@ -7,6 +7,10 @@
 # This file is only for generic masks. For arch-specific masks (i.e.
 # mask everywhere, unmask on arch/*) use arch/base.
 
+# Matthias Maier <tamiko@gentoo.org> (09 May 2017)
+# Mask pie useflag globally and unmask + use.force on hardened profiles.
+sys-devel/gcc pie
+
 # Mike Gilbert <floppym@gentoo.org> (28 Apr 2017)
 # Needs sandbox-2.11 (masked)
 >=www-client/chromium-59 tcmalloc
diff --git a/profiles/hardened/linux/musl/amd64/package.use.mask b/profiles/hardened/linux/musl/amd64/package.use.mask
deleted file mode 100644
index e2d77b0..00000000
--- a/profiles/hardened/linux/musl/amd64/package.use.mask
+++ /dev/null
@@ -1,6 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation.
-# Distributed under the terms of the GNU General Public License v2
-
-# Matthias Maier <tamiko@genoto.org> (07 May 2017)
-# masked in arch/base, unmask for hardened/musl/amd64
->=sys-devel/gcc-6.3.0 -pie
diff --git a/profiles/hardened/linux/musl/package.use.mask b/profiles/hardened/linux/musl/package.use.mask
index 9078b7c..46857dc 100644
--- a/profiles/hardened/linux/musl/package.use.mask
+++ b/profiles/hardened/linux/musl/package.use.mask
@@ -1,6 +1,10 @@
 # Copyright 1999-2015 Gentoo Foundation.
 # Distributed under the terms of the GNU General Public License v2
 
+# Matthias Maier <tamiko@gentoo.org> (09 May 2017)
+# Unmask the pie useflag on hardened/linux/musl profiles.
+sys-devel/gcc -pie
+
 # See bug #504200
 sys-devel/gcc sanitize
 
diff --git a/profiles/hardened/linux/musl/use.force b/profiles/hardened/linux/musl/use.force
index 79e5575..debacff 100644
--- a/profiles/hardened/linux/musl/use.force
+++ b/profiles/hardened/linux/musl/use.force
@@ -2,3 +2,7 @@
 # Distributed under the terms of the GNU General Public License v2
 
 elibc_musl
+
+# Make sure people don't accidentally turn off ssp/pie in important packages.
+pie
+ssp
diff --git a/profiles/hardened/linux/package.use.mask b/profiles/hardened/linux/package.use.mask
index 4178151..aa2adc5 100644
--- a/profiles/hardened/linux/package.use.mask
+++ b/profiles/hardened/linux/package.use.mask
@@ -1,6 +1,10 @@
 # Copyright 1999-2017 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
+# Matthias Maier <tamiko@gentoo.org> (09 May 2017)
+# Unmask the pie useflag on hardened profiles.
+sys-devel/gcc -pie
+
 # Ilya Tumaykin <itumaykin+gentoo@gmail.com> (19 Jan 2017)
 # Requires x11-drivers/nvidia-drivers. Needs testing first.
 media-video/mpv cuda
diff --git a/profiles/hardened/linux/use.force b/profiles/hardened/linux/use.force
index 35e5653..ec5509c 100644
--- a/profiles/hardened/linux/use.force
+++ b/profiles/hardened/linux/use.force
@@ -1,6 +1,6 @@
 # Copyright 1999-2015 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
 
-# Make sure people don't accidentally turn of ssp/pie in important packages.
+# Make sure people don't accidentally turn off ssp/pie in important packages.
 pie
 ssp
-- 
2.10.2

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Hanno Böck]

Hi,

On Tue, 09 May 2017 15:55:36 -0500
Matthias Maier <tamiko@gentoo.org> wrote:

> Well, Alexis certainly makes a strong point. Breaking installed static
> archives by changing a use flag shouldn't be as easy as changing a
> useflag. So we might simply use.force the pie use flag depending on
> hardened/non-hardened profiles.

While I understand that enabling pie requires some more planning to
avoid breakage, I hope this is not the final solution we aim for. I
really think it's about time that pie becomes the default in Gentoo.

pie is required for working ASLR, which almost every other OS out there
has these days. In recent years also Fedora, Ubuntu and lately Debian
switched it on by default. I really think this should be a default
security setting, not something that only lives in hardened.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Alexis Ballier]

On Tue, 9 May 2017 23:18:20 +0200
Hanno Böck <hanno@gentoo.org> wrote:

> Hi,
> 
> On Tue, 09 May 2017 15:55:36 -0500
> Matthias Maier <tamiko@gentoo.org> wrote:
> 
> > Well, Alexis certainly makes a strong point. Breaking installed
> > static archives by changing a use flag shouldn't be as easy as
> > changing a useflag. So we might simply use.force the pie use flag
> > depending on hardened/non-hardened profiles.  
> 
> While I understand that enabling pie requires some more planning to
> avoid breakage, I hope this is not the final solution we aim for. I
> really think it's about time that pie becomes the default in Gentoo.

For a transition we can probably build everything with -fPIE but not
link with -pie. If we want that to happen fast, gcc-6 might do that and
gcc-7 add the -pie option.

Alexis.

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Matthias Maier]

[-- Attachment #1: Type: text/plain, Size: 1386 bytes --]

> For a transition we can probably build everything with -fPIE but not
> link with -pie. If we want that to happen fast, gcc-6 might do that and
> gcc-7 add the -pie option.

I am not entirely convinced that a transition period of one gcc version
is enough for a smooth transition [1].

It might be better to go through a quick transition process that
requires a world rebuild. - In particular we already forced everyone on
~amd64 to play beta tester in this regard [2,3].

Anyway the current use flag situation is a mess and has to be cleaned
up asap.

So, dos anyone recall why USE=pie was masked for >gcc-6.2 for everyone
except amd64?

Related to that

 - for which architectures shall we unmask the use flag?

 - shall we use.force a certain behavior per profile, or keep the flag
   unpinned?


After having thought about the issue for a bit I still want to propose
what we have already accidentally done - switch to USE=pie per default
for gcc-6.

Best,
Matthias


[1] Indeed *every* major linux distribution for which I have an lxc
    container has -pie enabled. If we decide on some slow transition we
    risk to be late to the party by quite a bit.

[2] Which is extremely unfortunate.

[3] The fallout I currently see due to enabled USE=pie is noticeably but
    by no stretch crazy bad. After all, static linkage is rarely used
    (with the exception of some languages).

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 850 bytes --]

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Alexis Ballier]

On Tue, 09 May 2017 18:13:06 -0500
Matthias Maier <tamiko@gentoo.org> wrote:

> > For a transition we can probably build everything with -fPIE but not
> > link with -pie. If we want that to happen fast, gcc-6 might do that
> > and gcc-7 add the -pie option.  
> 
> I am not entirely convinced that a transition period of one gcc
> version is enough for a smooth transition [1].

In theory, a transition period won't help. It'll probably mitigate the
user issues by a lot though. Note that by being a source based rolling
distro we're quite different than e.g. fedora rebuilding all their repo
at each release.

[...]
> Related to that
> 
>  - for which architectures shall we unmask the use flag?

Keep in mind that if the performance implications are almost inexistent
for amd64, pie might have serious implications on other arches. x86
eating one register for pie/pic and lacking an easy way to write pic
safe asm is a very well known problematic arch.

Which raises the question: What happens for multilib amd64 ?


[...]
> [3] The fallout I currently see due to enabled USE=pie is noticeably
> but by no stretch crazy bad. After all, static linkage is rarely used
>     (with the exception of some languages).

After only a few days in ~arch and no tinderbox run I'd say that's
pretty normal :)

static linkage is more present than one would like though; and it's not
only -static, but also libs that do not make sense or break when shared
(libfl comes to mind)


Alexis.

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

Am Mittwoch, 10. Mai 2017, 00:47:30 CEST schrieb Alexis Ballier:
> On Tue, 9 May 2017 23:18:20 +0200 Hanno Böck <hanno@gentoo.org> wrote:
> > I really think it's about time that pie becomes the default in Gentoo.
> 
> For a transition we can probably build everything with -fPIE but not
> link with -pie. If we want that to happen fast, gcc-6 might do that and
> gcc-7 add the -pie option.

What do we gain by that?

Wouldn't we need to rebuild all the static archives afterwards again anyway, 
just to make sure they have been rebuilt?

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Alexis Ballier]

On Wed, 10 May 2017 01:40:36 +0200
"Andreas K. Huettel" <dilfridge@gentoo.org> wrote:

> Am Mittwoch, 10. Mai 2017, 00:47:30 CEST schrieb Alexis Ballier:
> > On Tue, 9 May 2017 23:18:20 +0200 Hanno Böck <hanno@gentoo.org>
> > wrote:  
> > > I really think it's about time that pie becomes the default in
> > > Gentoo.  
> > 
> > For a transition we can probably build everything with -fPIE but not
> > link with -pie. If we want that to happen fast, gcc-6 might do that
> > and gcc-7 add the -pie option.  
> 
> What do we gain by that?
> 
> Wouldn't we need to rebuild all the static archives afterwards again
> anyway, just to make sure they have been rebuilt?
> 

yep we wouldn't gain much

considering gcc unmasks timings, the idea was to have enough time to
pass for the need to rebuild to be gone

[gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Martin Vaeth]

Hanno Böck <hanno@gentoo.org> wrote:
> I really think it's about time that pie becomes the default in Gentoo.

Although I agree from a security perspective, I must warn that
this is not realistic, currently:

I am using gcc-6 since ages and tried to run a desktop with default pie
for quite a while, but soon was forced to give up:

There are simply too many package which fail to compile;
this cannot even be recommended to early testers yet, not to speak
about the wide public.

The difficulty is not the static libraries
(which except for embedded systems are hardly needed at all),
but simply that too many projects are not prepared for this.

The main problem is that it is not easy (as it was for the hardened gcc)
to switch the compiler profiles if you have a non-working project:
If a project fails to emerge and does not honour CFLAGS throughout -
there simply are quite a lot of projects which do neither -
the user either has to write/get some patch manually or he has to
re-emerge gcc just in order to compile/update that single project.

For instance, you cannot even compile the kernel without special patches
(which disable pie) if you use a gcc which default-enables pie.

Thus, unless practically all upstream projects deal with pie or unless
gentoo manages to get a huge group of persons which patches all new releases
of upstream projects to this purpose very quickly - both is not realistic,
of course - using pie by default is a no-go for "normal" systems:
Perhaps some very hardened servers with only very few packages and
a very active administrator can afford to do this, but not "normal"
users who run a desktop.

Re: [gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Matthias Maier]

On Wed, May 10, 2017, at 02:28 CDT, Martin Vaeth <martin@mvath.de> wrote:

> I am using gcc-6 since ages and tried to run a desktop with default pie
> for quite a while, but soon was forced to give up:

> [...]

I have pie enabled on a desktop for years. Almost all major linux
distribution have pie enabled as well nowadays.

https://wiki.debian.org/Hardening/PIEByDefaultTransition

Re: [gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[James Le Cuirot]

On Wed, 10 May 2017 08:20:32 -0500
Matthias Maier <tamiko@gentoo.org> wrote:

> On Wed, May 10, 2017, at 02:28 CDT, Martin Vaeth <martin@mvath.de>
> wrote:
> 
> > I am using gcc-6 since ages and tried to run a desktop with default
> > pie for quite a while, but soon was forced to give up:  
> 
> > [...]  
> 
> I have pie enabled on a desktop for years. Almost all major linux
> distribution have pie enabled as well nowadays.
> 
> https://wiki.debian.org/Hardening/PIEByDefaultTransition

This is less significant but I'd still like to add that I just updated
gcc to 6 followed by @world with some 500 packages and I didn't hit a
single PIE issue.

-- 
James Le Cuirot (chewi)
Gentoo Linux Developer

Re: [gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Andreas K. Huettel]

Am Mittwoch, 10. Mai 2017, 15:31:13 CEST schrieb James Le Cuirot:
> On Wed, 10 May 2017 08:20:32 -0500
> 
> Matthias Maier <tamiko@gentoo.org> wrote:
> > On Wed, May 10, 2017, at 02:28 CDT, Martin Vaeth <martin@mvath.de>
> > 
> > wrote:
> > > I am using gcc-6 since ages and tried to run a desktop with default
> > > pie for quite a while, but soon was forced to give up:
> > > 
> > > [...]
> > 
> > I have pie enabled on a desktop for years. Almost all major linux
> > distribution have pie enabled as well nowadays.
> > 
> > https://wiki.debian.org/Hardening/PIEByDefaultTransition
> 
> This is less significant but I'd still like to add that I just updated
> gcc to 6 followed by @world with some 500 packages and I didn't hit a
> single PIE issue.

Similar here...

I'm wondering a bit if we're not trying to make ~arch stable again. Then again 
nobody of us knows all use cases of Gentoo everywhere, so listening to the 
list makes sense.

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

Re: [gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 552 bytes --]

On 05/10/2017 03:35 PM, Andreas K. Huettel wrote:
> I'm wondering a bit if we're not trying to make ~arch stable again. Then again 
> nobody of us knows all use cases of Gentoo everywhere, so listening to the 
> list makes sense.

Well, it'd affect stable users at _some_ point, and as you say; it seems
a good starting point for discussing which other profile changes we'd
make with a new 17.0.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Hanno Böck]

Hi,

On Wed, 10 May 2017 07:28:15 +0000 (UTC)
Martin Vaeth <martin@mvath.de> wrote:

> I am using gcc-6 since ages and tried to run a desktop with default
> pie for quite a while, but soon was forced to give up:
> 
> There are simply too many package which fail to compile;
> this cannot even be recommended to early testers yet, not to speak
> about the wide public.

I could add my voice that I ran pie by default for a while and haven't
seen any pie-specific issues, but that doesn't get us anywhere.

We have a tracker bug for default-pie-problems in bugzilla:
https://bugs.gentoo.org/show_bug.cgi?id=582688

*All* bugs that block this bug are currently marked as resolved. So if
you are aware of any open issues that need to be taken care of please
file a bug and make sure they block the tracker bug.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

[gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Martin Vaeth]

Hanno Böck <hanno@gentoo.org> wrote:
>
> I could add my voice that I ran pie by default for a while

I can confirm that the situation apparently has changed drastically
since my last attempt. My previous assertion is no longer valid:

Currently, I recompile world on x86 system with default pie,
so far with only one issue caused implicitly by clisp.
Afterwards, I will recompile world on amd64 and will report back
in case the situation should be very different.

> We have a tracker bug for default-pie-problems in bugzilla:

I reported the clisp issue and will report if I meet further.
At the time when this tracker bug was opened, I had so many issues
with default pie that I decided to switch it off since reporting
so much would have been too time-consuming for me.

I do not know what is the reason for this change. Perhaps the
first gcc versions with default pie had another bug.

Re: [gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Luis Ressel]

[-- Attachment #1: Type: text/plain, Size: 393 bytes --]

On Wed, 10 May 2017 07:28:15 +0000 (UTC)
Martin Vaeth <martin@mvath.de> wrote:

> For instance, you cannot even compile the kernel without special
> patches (which disable pie) if you use a gcc which default-enables
> pie.

Now I'm curious. Wouldn't that also affect the hardened gcc? I've never
had any issues compiling vanilla-sources with my hardened gcc.

Regards,
Luis Ressel

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-dev] Re: [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Martin Vaeth]

Luis Ressel <aranea@aixah.de> wrote:
> Martin Vaeth <martin@mvath.de> wrote:
>
>> For instance, you cannot even compile the kernel without special
>> patches (which disable pie) if you use a gcc which default-enables
>> pie.
>
> Now I'm curious. Wouldn't that also affect the hardened gcc?

I would guess so, but I did not try:
I didn't use hardened gcc since years, because

(a) I had to switch profiles too often because of forced pie which
used to break compilation for almost every second package (some
years ago).

(b) -fstack-protector-all slowed down my system too much, especially
since the security improvement over -fstack-protector-strong
(or with older gcc versions -fstack-protector) is rather negligible.

> I've never had any issues compiling vanilla-sources

The experience I had reported was with the first non-beta versions of
gcc-6[pie] from the hardened overlay and several (at that time current)
versions of hardened-sources.

I retried now with gcc-7.1.0-r1[pie] and current gentoo-sources, and
it turned out that the issue does no longer exist.

I do not know whether the reason is due to the change
hardened-sources -> gentoo-sources, due to an upstream kernel fix,
or due to a fix in the pie support of gcc (compared to the first
gcc-6 versions).

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 1142 bytes --]

Am Dienstag, 9. Mai 2017, 22:10:21 CEST schrieb Alexis Ballier:
> 
> Do you realize that this breaks linking against about any static lib
> ever built before upgrading ? And I'm not even considering people
> toggling the flag.

Toggling the flag is definitely bad. So it should be either on or off.

> 
> While I believe it might be a bit too early to default-enable pie, why
> not, but the news item *must* contain instructions that people should
> 'emerge -e world' in order for it to work.
> 
> Also, I don't believe default-pie should even be a useflag. It's always
> been forced-on for hardened and forced-off for non-hardened I think.
> Switching between the two types of profiles has always been difficult
> because of that kind of differences. I strongly believe this should stay
> that way (that is: this cant be toggled by a simple useflag).
> 

Well... Hanno and Matthias said Gentoo is about the only place where it isn't 
on by default. So why are we "early", and why not just force it on for 
everybody?


-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Jason Zaman]

On Wed, May 10, 2017 at 01:44:06AM +0200, Andreas K. Huettel wrote:
> Am Dienstag, 9. Mai 2017, 22:10:21 CEST schrieb Alexis Ballier:
> > 
> > Do you realize that this breaks linking against about any static lib
> > ever built before upgrading ? And I'm not even considering people
> > toggling the flag.
> 
> Toggling the flag is definitely bad. So it should be either on or off.
> 
> > 
> > While I believe it might be a bit too early to default-enable pie, why
> > not, but the news item *must* contain instructions that people should
> > 'emerge -e world' in order for it to work.
> > 
> > Also, I don't believe default-pie should even be a useflag. It's always
> > been forced-on for hardened and forced-off for non-hardened I think.
> > Switching between the two types of profiles has always been difficult
> > because of that kind of differences. I strongly believe this should stay
> > that way (that is: this cant be toggled by a simple useflag).
> > 
> 
> Well... Hanno and Matthias said Gentoo is about the only place where it isn't 
> on by default. So why are we "early", and why not just force it on for 
> everybody?

I just want to make sure im understanding this right, only .a files that
were compiled without -pie will cause issues if you compile the later
thing that uses the .a with -pie?
So:
1) people on hardened profiles are going to be fine no matter what?
2) only packages that have .a files need to be rebuild? (not -e @world)?
3) .a are static libs for compiling static binaries right, so nothing
will break at runtime from the change? only build failures?

I definitley think everyone on gentoo should have PIE and SSP by default
nowadays. Whats the status of -zrelro -znow on non-hardened?

This might be the kind of thing where a new set of profiles is a good
idea
1) hardened would force the flags on,
2) 13.0 non-hardened would force them off
3) 17.0 non-hardened would force them on and people have to rebuild when
      they change profiles

Im not sure how the timing of the new profile would work? only make them
once gcc-6 is stable so everyone does it at once?

-- Jason

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Matthias Maier]

On Wed, May 10, 2017, at 00:07 CDT, Jason Zaman <perfinion@gentoo.org> wrote:

> I just want to make sure im understanding this right, only .a files that
> were compiled without -pie will cause issues if you compile the later
> thing that uses the .a with -pie?
> So:
> 1) people on hardened profiles are going to be fine no matter what?

Yes.

> 2) only packages that have .a files need to be rebuild? (not -e @world)?

Essentially yes. (There might be one or two additional catches for
languages with special linkage/libraries. For example, haskell packages
have to force -no-pie - which they already do :-])

> 3) .a are static libs for compiling static binaries right, so nothing
> will break at runtime from the change? only build failures?

Yes.

> I definitley think everyone on gentoo should have PIE and SSP by default
> nowadays. Whats the status of -zrelro -znow on non-hardened?

The essential difference between non-hardened and hardened is additional

  -fstack-protector-all -fstrict_overflow -znow

on hardened.

> This might be the kind of thing where a new set of profiles is a good
> idea
> 1) hardened would force the flags on,
> 2) 13.0 non-hardened would force them off
> 3) 17.0 non-hardened would force them on and people have to rebuild when
>       they change profiles

*mhm* A profile update would also be an idea.

> Im not sure how the timing of the new profile would work? only make them
> once gcc-6 is stable so everyone does it at once?


Best,
Matthias

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Alexis Ballier]

On Wed, 10 May 2017 01:44:06 +0200
"Andreas K. Huettel" <dilfridge@gentoo.org> wrote:
> > 
> > While I believe it might be a bit too early to default-enable pie,
> > why not, but the news item *must* contain instructions that people
> > should 'emerge -e world' in order for it to work.
> > 
> > Also, I don't believe default-pie should even be a useflag. It's
> > always been forced-on for hardened and forced-off for non-hardened
> > I think. Switching between the two types of profiles has always
> > been difficult because of that kind of differences. I strongly
> > believe this should stay that way (that is: this cant be toggled by
> > a simple useflag). 
> 
> Well... Hanno and Matthias said Gentoo is about the only place where
> it isn't on by default. So why are we "early", and why not just force
> it on for everybody?


We're early because it has not been prepared. It has just been toggled
to default on *after* unmasking gcc-6 without even a tinderbox run. We
have no real idea of the fallout.


As for Hanno's claim that others are doing it, well, I'd say that's a
really good opportunity to have a look at their findings:

Fedora (which did the emerge -e world thing):
https://fedoraproject.org/wiki/Changes/Harden_All_Packages

From the tracker:
https://bugzilla.redhat.com/show_bug.cgi?id=1199775

We can find a few runtime failures:

https://bugzilla.redhat.com/show_bug.cgi?id=956868 (no idea)
https://bugzilla.redhat.com/show_bug.cgi?id=952946 (requires kernel
4.1+)
https://bugzilla.redhat.com/show_bug.cgi?id=1238804 (building perl with
pie seems to make some perl packages fail at runtime)
https://bugzilla.redhat.com/show_bug.cgi?id=1228570 (mono borkage)


Ubuntu:

https://wiki.ubuntu.com/SteveBeattie/PIENotes

https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8315122
(Qt checking type of an executable, which changes after enabling pie)
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=18780 (emacs segfaults
with pie, has to use -no-pie)


But probably the debian transition is the best to look for since they'd
be the ones with closest release methodology as us (with
testing/unstable):

https://wiki.debian.org/Hardening/PIEByDefaultTransition

The first test build finished with 1188 packages failing




....

So, yes, I do believe we need a more serious plan to enable pie by
default :)


Alexis.

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 466 bytes --]

On Wed, 10 May 2017 09:23:04 +0200
Alexis Ballier <aballier@gentoo.org> wrote:

> https://bugzilla.redhat.com/show_bug.cgi?id=1238804 (building perl with
> pie seems to make some perl packages fail at runtime)

If that's really the case, can we *not* do this right now?

There's one thing Perl team don't need right now and that's an
additional class of failure modes that can have widespread fallout by
default.

We quite have our hands full as it is.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Matthias Maier]

[-- Attachment #1: Type: text/plain, Size: 1854 bytes --]

This is a reworded news item (assuming we proceed with the plan to
default-enable USE=pie). Suggestions for improving the emerge command to
fix static archives is highly welcomed.

Matthias



Title: GCC 6 defaults to USE="pie ssp"
Author: Matthias Maier <tamiko@gentoo.org>
Content-Type: text/plain
Posted: 2017-05-09
Revision: 1
News-Item-Format: 1.0
Display-If-Installed: >=sys-devel/gcc-6.3.0

In Gentoo, several GCC features can be default disabled or enabled 
via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already
enabled default SSP [1]. Since the PIE patchset for default position 
independent executable support was integrated upstream [2,3], starting 
with gcc-6.3 we are also enabling PIE by default (via a default-enabled 
use-flag pie) in regular (non-hardened) profiles.

[Additionally, following Gentoo policies, the default-off use-flags
nopie (only present in Hardened) and nossp are replaced starting with
gcc-6 by default-on use-flags pie and ssp.]

Be advised that switching from an older version to GCC 6 will enable the
PIE feature by default. This should not cause many problems for packages
involving shared libraries. However, static archives need to be rebuilt
(otherwise final linkage will fail [4]. You can rebuild affected packages
containing static archives via

  # emerge --exclude 'dev-haskell/*' -1 $(find /lib* /usr/lib* -type f -name "*.a")

[1] https://www.gentoo.org/support/news-items/2014-06-15-gcc48_ssp.html
[2] https://gcc.gnu.org/gcc-6/changes.html
[3] A big thanks to all developers and members of the Gentoo community that
    made upstreaming the pie patchset and other hardening options possible!
[4] A typical link error reads
  relocation R_X86_64_32 against `.rodata.str1.1' can not be used when
  making a shared object; recompile with -fPIC

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 850 bytes --]

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Alexis Ballier]

On Tue, 09 May 2017 18:58:42 -0500
Matthias Maier <tamiko@gentoo.org> wrote:

> This is a reworded news item (assuming we proceed with the plan to
> default-enable USE=pie). Suggestions for improving the emerge command
> to fix static archives is highly welcomed.
>

Really, I think the slot to have pie for gcc 6 has been missed by
default-enabling it only recently. We should aim for gcc 7 at least and
have proper testing.

And add a few safety nets: A portage warning when installing non-pie
binaries, something that dies with FEATURES=strict or stricter, like
the textrel one we have. That is to avoid the quick n dirty
'append-ldflags -no-pie' that makes the whole thing about forcing pie
questionable. If possible, detect static archives that have relocations
too.

Ideally provide a system scanning tool for the above too.


After a few months of masked gcc7 like that we'll have enough data to
decide on a proper plan. It'll probably be good to get QA in the loop
and make this a QA goal too.

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1695 bytes --]

On 05/10/2017 09:52 AM, Alexis Ballier wrote:
> On Tue, 09 May 2017 18:58:42 -0500
> Matthias Maier <tamiko@gentoo.org> wrote:
> 
>> This is a reworded news item (assuming we proceed with the plan to
>> default-enable USE=pie). Suggestions for improving the emerge command
>> to fix static archives is highly welcomed.
>>
> 
> Really, I think the slot to have pie for gcc 6 has been missed by
> default-enabling it only recently. We should aim for gcc 7 at least and
> have proper testing.
> 
> And add a few safety nets: A portage warning when installing non-pie
> binaries, something that dies with FEATURES=strict or stricter, like
> the textrel one we have. That is to avoid the quick n dirty
> 'append-ldflags -no-pie' that makes the whole thing about forcing pie
> questionable. If possible, detect static archives that have relocations
> too.
> 
> Ideally provide a system scanning tool for the above too.
> 
> 
> After a few months of masked gcc7 like that we'll have enough data to
> decide on a proper plan. It'll probably be good to get QA in the loop
> and make this a QA goal too.
> 

Sounds like a reasonable action plan. The consequences of such a change
definitely seems to be sufficiently high to merit a proper migration
plan which doesn't seem to have been established at this point. Whether
that can be added to a later point with gcc6 (e.g by adding a new
profile, or a later point release) I don't have strong opinions on, but
there should be a plan and proper overview of the consequences.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Dirkjan Ochtman]

On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrand <k_f@gentoo.org> wrote:
> Sounds like a reasonable action plan. The consequences of such a change
> definitely seems to be sufficiently high to merit a proper migration
> plan which doesn't seem to have been established at this point. Whether
> that can be added to a later point with gcc6 (e.g by adding a new
> profile, or a later point release) I don't have strong opinions on, but
> there should be a plan and proper overview of the consequences.

Yeah, I think I agree. From the discussions so far, I think that we
should definitely aim for making pie the default for everyone (on
arches where it makes sense), but doing it in the gcc-6 now which has
seen only a short period of testing so far seems a bit hasty based on
data from the messages that I've seen in these threads so far.

Cheers,

Dirkjan

New profiles for default-pie transition (was: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2)

[Andreas K. Huettel]

Am Mittwoch, 10. Mai 2017, 13:58:56 CEST schrieb Dirkjan Ochtman:
> On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrand <k_f@gentoo.org> 
wrote:
> > Sounds like a reasonable action plan. The consequences of such a change
> > definitely seems to be sufficiently high to merit a proper migration
> > plan which doesn't seem to have been established at this point. Whether
> > that can be added to a later point with gcc6 (e.g by adding a new
> > profile, or a later point release) I don't have strong opinions on, but
> > there should be a plan and proper overview of the consequences.
> 
> Yeah, I think I agree. From the discussions so far, I think that we
> should definitely aim for making pie the default for everyone (on
> arches where it makes sense), but doing it in the gcc-6 now which has
> seen only a short period of testing so far seems a bit hasty based on
> data from the messages that I've seen in these threads so far.

Actually the idea I like best so far is Jason's profile suggestion. 

* package.use.mask gcc[pie] in the 13.0 profiles

* generate a new set of profiles 17.0 where it's package.use.forced
* tell people they may have to rebuild world when they switch

-> This would also give us some time to discuss what other changes we might 
make with the transition to the new profiles. 

-> Also, this means the transition is independent of gcc release timing.

(We just need to be careful since hardened also inherits 13.0, so the setting 
must be overridden there. As far as I can see that's already done there 
though.)

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer (council, perl, libreoffice)

[gentoo-dev] Re: New profiles for default-pie transition

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1832 bytes --]

On 05/10/2017 03:29 PM, Andreas K. Huettel wrote:
> Am Mittwoch, 10. Mai 2017, 13:58:56 CEST schrieb Dirkjan Ochtman:
>> On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrand <k_f@gentoo.org> 
> wrote:
>>> Sounds like a reasonable action plan. The consequences of such a change
>>> definitely seems to be sufficiently high to merit a proper migration
>>> plan which doesn't seem to have been established at this point. Whether
>>> that can be added to a later point with gcc6 (e.g by adding a new
>>> profile, or a later point release) I don't have strong opinions on, but
>>> there should be a plan and proper overview of the consequences.
>>
>> Yeah, I think I agree. From the discussions so far, I think that we
>> should definitely aim for making pie the default for everyone (on
>> arches where it makes sense), but doing it in the gcc-6 now which has
>> seen only a short period of testing so far seems a bit hasty based on
>> data from the messages that I've seen in these threads so far.
> 
> Actually the idea I like best so far is Jason's profile suggestion. 
> 
> * package.use.mask gcc[pie] in the 13.0 profiles
> 
> * generate a new set of profiles 17.0 where it's package.use.forced
> * tell people they may have to rebuild world when they switch
> 
> -> This would also give us some time to discuss what other changes we might 
> make with the transition to the new profiles. 
> 
> -> Also, this means the transition is independent of gcc release timing.
> 
> (We just need to be careful since hardened also inherits 13.0, so the setting 
> must be overridden there. As far as I can see that's already done there 
> though.)
> 

+1

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] Re: New profiles for default-pie transition

[Alexis Ballier]

On Wed, 10 May 2017 15:42:25 +0200
Kristian Fiskerstrand <k_f@gentoo.org> wrote:

> On 05/10/2017 03:29 PM, Andreas K. Huettel wrote:
> > Am Mittwoch, 10. Mai 2017, 13:58:56 CEST schrieb Dirkjan Ochtman:  
> >> On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrand
> >> <k_f@gentoo.org>   
> > wrote:  
> >>> Sounds like a reasonable action plan. The consequences of such a
> >>> change definitely seems to be sufficiently high to merit a proper
> >>> migration plan which doesn't seem to have been established at
> >>> this point. Whether that can be added to a later point with gcc6
> >>> (e.g by adding a new profile, or a later point release) I don't
> >>> have strong opinions on, but there should be a plan and proper
> >>> overview of the consequences.  
> >>
> >> Yeah, I think I agree. From the discussions so far, I think that we
> >> should definitely aim for making pie the default for everyone (on
> >> arches where it makes sense), but doing it in the gcc-6 now which
> >> has seen only a short period of testing so far seems a bit hasty
> >> based on data from the messages that I've seen in these threads so
> >> far.  
> > 
> > Actually the idea I like best so far is Jason's profile suggestion. 
> > 
> > * package.use.mask gcc[pie] in the 13.0 profiles
> > 
> > * generate a new set of profiles 17.0 where it's package.use.forced
> > * tell people they may have to rebuild world when they switch
> >   
> > -> This would also give us some time to discuss what other changes
> > we might make with the transition to the new profiles. 
> >   
> > -> Also, this means the transition is independent of gcc release
> > timing.  
> > 
> > (We just need to be careful since hardened also inherits 13.0, so
> > the setting must be overridden there. As far as I can see that's
> > already done there though.)
> >   
> 
> +1
> 

+1 too actually

[gentoo-dev] Re: New profiles for default-pie transition

[Matthias Maier]

> -> This would also give us some time to discuss what other changes we might 
> make with the transition to the new profiles. 
>
> -> Also, this means the transition is independent of gcc release timing.
>
> (We just need to be careful since hardened also inherits 13.0, so the setting 
> must be overridden there. As far as I can see that's already done there 
> though.)

+1

I like the idea as well.

Re: New profiles for default-pie transition (was: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2)

[Hanno Böck]

On Wed, 10 May 2017 15:29:19 +0200
"Andreas K. Huettel" <dilfridge@gentoo.org> wrote:

> * generate a new set of profiles 17.0 where it's package.use.forced
> * tell people they may have to rebuild world when they switch

Do we really need to rebuild world?
From what I understand problems arise if we have packages installing
static libraries that aren't built position independent.
However that's only a small fraction of packages and we should be
easily able to detect them.

Can't we just provide a small script or bash oneliner that will rebuild
all affected packages?

(other than that I think the profile plan sounds reasonable)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

[gentoo-dev] Re: New profiles for default-pie transition

[Matthias Maier]

On Wed, May 10, 2017, at 10:32 CDT, Hanno Böck <hanno@gentoo.org> wrote:

> Can't we just provide a small script or bash oneliner that will rebuild
> all affected packages?

See mail e-mail with the updated news item.
  "[RFC] News item: GCC 6 defaults to USE="pie ssp", v2"

Best,
Matthias

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Walter Dnes]

On Tue, May 09, 2017 at 06:58:42PM -0500, Matthias Maier wrote
> This is a reworded news item (assuming we proceed with the plan to
> default-enable USE=pie). Suggestions for improving the emerge command to
> fix static archives is highly welcomed.
> 
> Matthias
> 
> 
> 
> Title: GCC 6 defaults to USE="pie ssp"
> Author: Matthias Maier <tamiko@gentoo.org>
> Content-Type: text/plain
> Posted: 2017-05-09
> Revision: 1
> News-Item-Format: 1.0
> Display-If-Installed: >=sys-devel/gcc-6.3.0
> 
> In Gentoo, several GCC features can be default disabled or enabled 
> via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already
> enabled default SSP [1]. Since the PIE patchset for default position 
> independent executable support was integrated upstream [2,3], starting 
> with gcc-6.3 we are also enabling PIE by default (via a default-enabled 
> use-flag pie) in regular (non-hardened) profiles.

  Has anyone checked 32-bit systems?  "emerge -pv =sys-devel/gcc-6.3.0"
on a 2008 Core2duo 32-bit install (my GCC 6.3.0 testbed) shows "(-pie)".
I read that as the "pie" USE flag being hard-masked out.  On my 64-bit
desktop, "pie" is the default.

-- 
Walter Dnes <waltdnes@waltdnes.org>
I don't run "desktop environments"; I run useful applications

Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2

[Matthias Maier]

>   Has anyone checked 32-bit systems?  "emerge -pv =sys-devel/gcc-6.3.0"
> on a 2008 Core2duo 32-bit install (my GCC 6.3.0 testbed) shows "(-pie)".
> I read that as the "pie" USE flag being hard-masked out.  On my 64-bit
> desktop, "pie" is the default.

Yes, we are aware of this. Unfortunately, determining the course of
action took a bit of time.

Will be fixed with a small profile update within the next 24h.

Best,
Matthias