Debian Bug report logs - #835146
dpkg-buildflags: Please enable bindnow hardening flag by default

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <balint@balintreczey.hu>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dpkg: please enable bindow hardening flag by default

Date: Tue, 23 Aug 2016 00:14:25 +0200

[Message part 1 (text/plain, inline)]

Package: dpkg
Version: 1.18.10
Severity: wishlist
Tags: patch moreinfo

Dear Guillem,

As a continuation of the discussions [1][2] on debian-devel I'm
attaching the simple patch that implements enabling the bindnow
hardening flags.

I'm continuing with the rebuild/autopkgtest tests according to
the Dpkg FAQ, hence the moreinfo tag.

Cheers,
Balint

[1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
[2] https://lists.debian.org/debian-devel/2016/08/msg00324.html

[0001-Use-bindnow-hardening-flag-by-default.patch (text/x-patch, attachment)]

Message #12 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Balint Reczey <balint@balintreczey.hu>

To: 835146@bugs.debian.org

Subject: Re: dpkg: please enable bindow hardening flag by default

Date: Mon, 10 Oct 2016 14:06:09 +0200

Dear Guillem,

On Tue, 23 Aug 2016 00:14:25 +0200 Balint Reczey <balint@balintreczey.hu> wrote:
...
> Dear Guillem,
> 
> As a continuation of the discussions [1][2] on debian-devel I'm
> attaching the simple patch that implements enabling the bindnow
> hardening flags.
> 
> I'm continuing with the rebuild/autopkgtest tests according to
> the Dpkg FAQ, hence the moreinfo tag.

The rebuild (with PIE and bindnow enabled) resulted ~1000 FTBFS
cases from which all seem to be related to enabling PIE by
default [3].

~70 of the filed related bugs [4] are still open.

Since the rebuild was run with tests enabled this seems to be a
good indication that we can expect very few breakages from
enabling bindnow by default.

Running autopkgtest would need more work as AFAIK there is no
automated method for doing it like rebuilds [5].

I'm wondering if you find the autopkgtest round necessary for
this change.

Cheers,
Balint

> 
> Cheers,
> Balint
> 
> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html

[3] https://wiki.debian.org/Hardening/PIEByDefaultTransition
[4] https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906&users=balint%40balintreczey.hu;dist=unstable
[5] https://wiki.debian.org/qa.debian.org/ArchiveTesting

Message #17 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: 835146@bugs.debian.org

Subject: Re: dpkg: please enable bindow hardening flag by default

Date: Thu, 20 Oct 2016 03:20:59 +0200

Hi Guillem,

For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where
PIE is enabled by default. I think enabling bindnow from dpkg would be
better through the hardening flags because packages could disable it
in a nicer and already established way.

Cheers,
Balint

2016-10-10 14:06 GMT+02:00 Balint Reczey <balint@balintreczey.hu>:
> Dear Guillem,
>
> On Tue, 23 Aug 2016 00:14:25 +0200 Balint Reczey <balint@balintreczey.hu> wrote:
> ...
>> Dear Guillem,
>>
>> As a continuation of the discussions [1][2] on debian-devel I'm
>> attaching the simple patch that implements enabling the bindnow
>> hardening flags.
>>
>> I'm continuing with the rebuild/autopkgtest tests according to
>> the Dpkg FAQ, hence the moreinfo tag.
>
> The rebuild (with PIE and bindnow enabled) resulted ~1000 FTBFS
> cases from which all seem to be related to enabling PIE by
> default [3].
>
> ~70 of the filed related bugs [4] are still open.
>
> Since the rebuild was run with tests enabled this seems to be a
> good indication that we can expect very few breakages from
> enabling bindnow by default.
>
> Running autopkgtest would need more work as AFAIK there is no
> automated method for doing it like rebuilds [5].
>
> I'm wondering if you find the autopkgtest round necessary for
> this change.
>
> Cheers,
> Balint
>
>>
>> Cheers,
>> Balint
>>
>> [1] https://lists.debian.org/debian-devel/2016/05/msg00228.html
>> [2] https://lists.debian.org/debian-devel/2016/08/msg00324.html
>
> [3] https://wiki.debian.org/Hardening/PIEByDefaultTransition
> [4] https://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=pie-bindnow-20160906&users=balint%40balintreczey.hu;dist=unstable
> [5] https://wiki.debian.org/qa.debian.org/ArchiveTesting

Message #22 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: balint@balintreczey.hu, 835146@bugs.debian.org

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Wed, 26 Oct 2016 05:00:38 +0200

Hi!

On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures where
> PIE is enabled by default. I think enabling bindnow from dpkg would be
> better through the hardening flags because packages could disable it
> in a nicer and already established way.

Hmm, I don't get why bindnow was enabled by default in gcc, while
relro (I'd assume) is not enabled by default, or is that enabled by
default now too?

IMO either relro + bindnow should be enabled in gcc, or neither
should. I'm fine either way, but I find having a hardened compiler is
actually good, because it gives also hardened output for non-packaged
builds!

Thanks,
Guillem

Message #27 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: Guillem Jover <guillem@debian.org>, Matthias Klose <doko@debian.org>

Cc: 835146@bugs.debian.org

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Wed, 26 Oct 2016 13:46:57 +0200

Hi,

2016-10-26 5:00 GMT+02:00 Guillem Jover <guillem@debian.org>:
> Hi!
> 
> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>> where PIE is enabled by default. I think enabling bindnow from dpkg
>> would be better through the hardening flags because packages could
>> disable it in a nicer and already established way.
> 
> Hmm, I don't get why bindnow was enabled by default in gcc, while 
> relro (I'd assume) is not enabled by default, or is that enabled by 
> default now too?

Default relro is enabled only on Ubuntu among other flags. Enabling
bindnow was Matthias' change and we did not discuss it in advance.

http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134

> 
> IMO either relro + bindnow should be enabled in gcc, or neither 
> should. I'm fine either way, but I find having a hardened compiler
> is actually good, because it gives also hardened output for
> non-packaged builds!

I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
In the original patches I wanted to follow Debian's practice of setting
flags from dpkg, but there are pros and cons on each side.
Setting relro + bindnow in GCC probably results less FTBS-s in packages
where flags are not passed properly, while it makes harder to disable
the flags from d/rules.

I would like to see bindnow enabled in Stretch and the first phase of
the freeze is near. Could you two (Matthias and Guillem) please find the
variant which would please both of you?

Cheers,
Balint

Message #32 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: Guillem Jover <guillem@debian.org>, Matthias Klose <doko@debian.org>

Cc: 835146@bugs.debian.org

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Thu, 27 Oct 2016 23:49:20 +0200

Hi,

2016-10-26 13:46 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi,
>
> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guillem@debian.org>:
>> Hi!
>>
>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>>> where PIE is enabled by default. I think enabling bindnow from dpkg
>>> would be better through the hardening flags because packages could
>>> disable it in a nicer and already established way.
>>
>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>> relro (I'd assume) is not enabled by default, or is that enabled by
>> default now too?
>
> Default relro is enabled only on Ubuntu among other flags. Enabling
> bindnow was Matthias' change and we did not discuss it in advance.
>
> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>
>>
>> IMO either relro + bindnow should be enabled in gcc, or neither
>> should. I'm fine either way, but I find having a hardened compiler
>> is actually good, because it gives also hardened output for
>> non-packaged builds!
>
> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
> In the original patches I wanted to follow Debian's practice of setting
> flags from dpkg, but there are pros and cons on each side.
> Setting relro + bindnow in GCC probably results less FTBS-s in packages
> where flags are not passed properly, while it makes harder to disable
> the flags from d/rules.
>
> I would like to see bindnow enabled in Stretch and the first phase of
> the freeze is near. Could you two (Matthias and Guillem) please find the
> variant which would please both of you?

For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
seems dpkg can set both.

Cheers,
Balint

Message #37 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: Guillem Jover <guillem@debian.org>, Matthias Klose <doko@debian.org>

Cc: 835146@bugs.debian.org

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Sun, 6 Nov 2016 13:20:05 +0100

Hi Guillem,

2016-10-27 23:49 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi,
>
> 2016-10-26 13:46 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
>> Hi,
>>
>> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guillem@debian.org>:
>>> Hi!
>>>
>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>>>> where PIE is enabled by default. I think enabling bindnow from dpkg
>>>> would be better through the hardening flags because packages could
>>>> disable it in a nicer and already established way.
>>>
>>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>>> relro (I'd assume) is not enabled by default, or is that enabled by
>>> default now too?
>>
>> Default relro is enabled only on Ubuntu among other flags. Enabling
>> bindnow was Matthias' change and we did not discuss it in advance.
>>
>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>>
>>>
>>> IMO either relro + bindnow should be enabled in gcc, or neither
>>> should. I'm fine either way, but I find having a hardened compiler
>>> is actually good, because it gives also hardened output for
>>> non-packaged builds!
>>
>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
>> In the original patches I wanted to follow Debian's practice of setting
>> flags from dpkg, but there are pros and cons on each side.
>> Setting relro + bindnow in GCC probably results less FTBS-s in packages
>> where flags are not passed properly, while it makes harder to disable
>> the flags from d/rules.
>>
>> I would like to see bindnow enabled in Stretch and the first phase of
>> the freeze is near. Could you two (Matthias and Guillem) please find the
>> variant which would please both of you?
>
> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
> seems dpkg can set both.

I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
for that.
Is there any particular reason for not enabling bindnow as well?

Do you plan enabling it for Stretch?

Cheers,
Balint

Message #42 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: Guillem Jover <guillem@debian.org>, Matthias Klose <doko@debian.org>

Cc: 835146@bugs.debian.org

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Wed, 14 Dec 2016 13:58:38 +0100

[Message part 1 (text/plain, inline)]

Hi All,

2016-11-06 13:20 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
> Hi Guillem,
>
> 2016-10-27 23:49 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
>> Hi,
>>
>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
>>> Hi,
>>>
>>> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guillem@debian.org>:
>>>> Hi!
>>>>
>>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>>>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>>>>> where PIE is enabled by default. I think enabling bindnow from dpkg
>>>>> would be better through the hardening flags because packages could
>>>>> disable it in a nicer and already established way.
>>>>
>>>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>>>> relro (I'd assume) is not enabled by default, or is that enabled by
>>>> default now too?
>>>
>>> Default relro is enabled only on Ubuntu among other flags. Enabling
>>> bindnow was Matthias' change and we did not discuss it in advance.
>>>
>>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>>>
>>>>
>>>> IMO either relro + bindnow should be enabled in gcc, or neither
>>>> should. I'm fine either way, but I find having a hardened compiler
>>>> is actually good, because it gives also hardened output for
>>>> non-packaged builds!
>>>
>>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
>>> In the original patches I wanted to follow Debian's practice of setting
>>> flags from dpkg, but there are pros and cons on each side.
>>> Setting relro + bindnow in GCC probably results less FTBS-s in packages
>>> where flags are not passed properly, while it makes harder to disable
>>> the flags from d/rules.
>>>
>>> I would like to see bindnow enabled in Stretch and the first phase of
>>> the freeze is near. Could you two (Matthias and Guillem) please find the
>>> variant which would please both of you?
>>
>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
>> seems dpkg can set both.
>
> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
> for that.
> Is there any particular reason for not enabling bindnow as well?
>
> Do you plan enabling it for Stretch?

I have uploaded a fixed package with the attached patch to DELAYED/10.

Cheers,
Balint

[dpkg-1.18.15+nmu1.patch (text/x-diff, attachment)]

Message #47 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Matthias Klose <doko@debian.org>

To: balint@balintreczey.hu, Guillem Jover <guillem@debian.org>

Cc: 835146@bugs.debian.org

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Wed, 14 Dec 2016 15:09:39 +0100

On 14.12.2016 13:58, Bálint Réczey wrote:
> Hi All,
> 
> 2016-11-06 13:20 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
>> Hi Guillem,
>>
>> 2016-10-27 23:49 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
>>> Hi,
>>>
>>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
>>>> Hi,
>>>>
>>>> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guillem@debian.org>:
>>>>> Hi!
>>>>>
>>>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>>>>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>>>>>> where PIE is enabled by default. I think enabling bindnow from dpkg
>>>>>> would be better through the hardening flags because packages could
>>>>>> disable it in a nicer and already established way.
>>>>>
>>>>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>>>>> relro (I'd assume) is not enabled by default, or is that enabled by
>>>>> default now too?
>>>>
>>>> Default relro is enabled only on Ubuntu among other flags. Enabling
>>>> bindnow was Matthias' change and we did not discuss it in advance.
>>>>
>>>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>>>>
>>>>>
>>>>> IMO either relro + bindnow should be enabled in gcc, or neither
>>>>> should. I'm fine either way, but I find having a hardened compiler
>>>>> is actually good, because it gives also hardened output for
>>>>> non-packaged builds!
>>>>
>>>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
>>>> In the original patches I wanted to follow Debian's practice of setting
>>>> flags from dpkg, but there are pros and cons on each side.
>>>> Setting relro + bindnow in GCC probably results less FTBS-s in packages
>>>> where flags are not passed properly, while it makes harder to disable
>>>> the flags from d/rules.
>>>>
>>>> I would like to see bindnow enabled in Stretch and the first phase of
>>>> the freeze is near. Could you two (Matthias and Guillem) please find the
>>>> variant which would please both of you?
>>>
>>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
>>> seems dpkg can set both.
>>
>> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
>> for that.
>> Is there any particular reason for not enabling bindnow as well?
>>
>> Do you plan enabling it for Stretch?
> 
> I have uploaded a fixed package with the attached patch to DELAYED/10.

that enables bindnow on any architecture whether pie is enabled or not. is this
intended?

Matthias

Message #52 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: Matthias Klose <doko@debian.org>

Cc: Guillem Jover <guillem@debian.org>, 835146@bugs.debian.org

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Wed, 14 Dec 2016 15:19:36 +0100

Hi Matthias,

2016-12-14 15:09 GMT+01:00 Matthias Klose <doko@debian.org>:
> On 14.12.2016 13:58, Bálint Réczey wrote:
>> Hi All,
>>
>> 2016-11-06 13:20 GMT+01:00 Bálint Réczey <balint@balintreczey.hu>:
>>> Hi Guillem,
>>>
>>> 2016-10-27 23:49 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
>>>> Hi,
>>>>
>>>> 2016-10-26 13:46 GMT+02:00 Bálint Réczey <balint@balintreczey.hu>:
>>>>> Hi,
>>>>>
>>>>> 2016-10-26 5:00 GMT+02:00 Guillem Jover <guillem@debian.org>:
>>>>>> Hi!
>>>>>>
>>>>>> On Thu, 2016-10-20 at 03:20:59 +0200, Bálint Réczey wrote:
>>>>>>> For the record gcc-6/6.2.0-7 enabled bindnow for the architectures
>>>>>>> where PIE is enabled by default. I think enabling bindnow from dpkg
>>>>>>> would be better through the hardening flags because packages could
>>>>>>> disable it in a nicer and already established way.
>>>>>>
>>>>>> Hmm, I don't get why bindnow was enabled by default in gcc, while
>>>>>> relro (I'd assume) is not enabled by default, or is that enabled by
>>>>>> default now too?
>>>>>
>>>>> Default relro is enabled only on Ubuntu among other flags. Enabling
>>>>> bindnow was Matthias' change and we did not discuss it in advance.
>>>>>
>>>>> http://sources.debian.net/src/gcc-6/6.2.0-9/debian/rules.patch/#L134
>>>>>
>>>>>>
>>>>>> IMO either relro + bindnow should be enabled in gcc, or neither
>>>>>> should. I'm fine either way, but I find having a hardened compiler
>>>>>> is actually good, because it gives also hardened output for
>>>>>> non-packaged builds!
>>>>>
>>>>> I'm OK either way. IMO those can be enabled even for non-PIE arches BTW.
>>>>> In the original patches I wanted to follow Debian's practice of setting
>>>>> flags from dpkg, but there are pros and cons on each side.
>>>>> Setting relro + bindnow in GCC probably results less FTBS-s in packages
>>>>> where flags are not passed properly, while it makes harder to disable
>>>>> the flags from d/rules.
>>>>>
>>>>> I would like to see bindnow enabled in Stretch and the first phase of
>>>>> the freeze is near. Could you two (Matthias and Guillem) please find the
>>>>> variant which would please both of you?
>>>>
>>>> For the record Matthias reverted setting bindnow in gcc-6/6.2.0-10, thus it
>>>> seems dpkg can set both.
>>>
>>> I saw you synced dpkg with GCC's default PIE settings in 1.18.11, thank you
>>> for that.
>>> Is there any particular reason for not enabling bindnow as well?
>>>
>>> Do you plan enabling it for Stretch?
>>
>> I have uploaded a fixed package with the attached patch to DELAYED/10.
>
> that enables bindnow on any architecture whether pie is enabled or not. is this
> intended?

Yes, relro is enabled by default on all architectures, too.

Cheers,
Balint

Message #57 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Christian Hofstaedtler <zeha@debian.org>

To: balint@balintreczey.hu, 835146@bugs.debian.org

Cc: Guillem Jover <guillem@debian.org>, Matthias Klose <doko@debian.org>

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Mon, 19 Dec 2016 01:07:30 +0100

* Bálint Réczey <balint@balintreczey.hu> [161219 00:06]:
> I have uploaded a fixed package with the attached patch to DELAYED/10.

Given dpkg/1.18.16 has entered sid, your upload will likely fail...

Best,
-- 
christian hofstaedtler <zeha@debian.org>

Message #62 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: Christian Hofstaedtler <zeha@debian.org>

Cc: 835146@bugs.debian.org, Guillem Jover <guillem@debian.org>, Matthias Klose <doko@debian.org>

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Mon, 19 Dec 2016 11:43:01 +0100

2016-12-19 1:07 GMT+01:00 Christian Hofstaedtler <zeha@debian.org>:
> * Bálint Réczey <balint@balintreczey.hu> [161219 00:06]:
>> I have uploaded a fixed package with the attached patch to DELAYED/10.
>
> Given dpkg/1.18.16 has entered sid, your upload will likely fail...


Yes, Guillem mentioned it in his email to debian-devel:
https://lists.debian.org/debian-devel/2016/12/msg00416.html

Cheers,
Balint

Message #67 received at 835146@bugs.debian.org (full text, mbox, reply):

From: "Dr. Markus Waldeck" <waldeck@gmx.de>

To: 835146@bugs.debian.org

Cc: "Guillem Jover" <guillem@debian.org>, "Matthias Klose" <doko@debian.org>, "Guillem Jover" <guillem@debian.org>, "Matthias Klose" <doko@debian.org>, "Bálint Réczey" <balint@balintreczey.hu>

Subject: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Thu, 17 Aug 2017 16:30:25 +0200

Hi all,

PIE made it into Strech.

But bindnow is still open 
even after it was activated for a short time 
(and packages were build with it).

May I ask for the planning for Buster?

Thanks in advance!

Dr. Markus Waldeck

Message #78 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Bálint Réczey <balint@balintreczey.hu>

To: "Dr. Markus Waldeck" <waldeck@gmx.de>

Cc: 835146@bugs.debian.org, Guillem Jover <guillem@debian.org>, Matthias Klose <doko@debian.org>

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Sun, 12 Dec 2021 13:19:11 +0100

Hi,

For the record I'm not working on this anymore.

Feel free to either close the bug or pick the work up from here. IMO
there is not much to worry about enabling bindnow since Ubuntu enabled
it in 16.10.

Cheers,
Balint

[1] https://wiki.ubuntu.com/ToolChain%20/CompilerFlags/#A-Wl.2C-z.2Cnow

Dr. Markus Waldeck <waldeck@gmx.de> ezt írta (időpont: 2017. aug. 17.,
Cs, 16:31):
>
> Hi all,
>
> PIE made it into Strech.
>
> But bindnow is still open
> even after it was activated for a short time
> (and packages were build with it).
>
> May I ask for the planning for Buster?
>
> Thanks in advance!
>
> Dr. Markus Waldeck

Message #83 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Christian Göttsche <cgzones@googlemail.com>

To: 835146@bugs.debian.org

Cc: Guillem Jover <guillem@debian.org>, Matthias Klose <doko@debian.org>

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Fri, 17 Jun 2022 16:04:27 +0200

With LTO being considered to be enabled by default [1] can this please
also get another deliberation.

[1]: https://lists.debian.org/debian-devel/2022/06/msg00092.html

Message #88 received at 835146@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Christian Göttsche <cgzones@googlemail.com>

Cc: 835146@bugs.debian.org, Matthias Klose <doko@debian.org>

Subject: Re: Bug#835146: dpkg: please enable bindow hardening flag by default

Date: Sun, 26 Jun 2022 20:26:57 +0200

Hi!

On Fri, 2022-06-17 at 16:04:27 +0200, Christian Göttsche wrote:
> With LTO being considered to be enabled by default [1] can this please
> also get another deliberation.

If you want to see this enabled by default, please bring it up again
on debian-devel. AFAIR last time there was push back.

Thanks,
Guillem

Send a report that this bug log contains spam.