Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

2016-12-19 14:58 GMT+01:00 Julien Cristau : > On 12/19/2016 11:37 AM, Bálint Réczey wrote: >> Thanks. If I could perform the autopkgtest run with bindnow this year would >> it >> be convincing enough given only a small amount of breakages to enable >> bindnow early in

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

On 12/19/2016 11:37 AM, Bálint Réczey wrote: > Thanks. If I could perform the autopkgtest run with bindnow this year would it > be convincing enough given only a small amount of breakages to enable > bindnow early in January? > I thought I was clear earlier. No, enabling bindnow globally is

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

Hi Guillem, 2016-12-19 1:34 GMT+01:00 Guillem Jover : > On Sat, 2016-12-17 at 09:20:40 +0100, Bálint Réczey wrote: >> 2016-12-17 3:14 GMT+01:00 Guillem Jover : >> > On Wed, 2016-12-14 at 14:05:44 +0100, Bálint Réczey wrote: >> >> 2016-12-13 9:29 GMT+01:00

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

On Sat, 2016-12-17 at 09:20:40 +0100, Bálint Réczey wrote: > 2016-12-17 3:14 GMT+01:00 Guillem Jover : > > On Wed, 2016-12-14 at 14:05:44 +0100, Bálint Réczey wrote: > >> 2016-12-13 9:29 GMT+01:00 Bálint Réczey : > >> > 2016-11-27 23:11 GMT+01:00 Bálint

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

Hi, 2016-12-17 10:17 GMT+01:00 Julien Cristau : > On Sat, Dec 17, 2016 at 09:20:40 +0100, Bálint Réczey wrote: > >> >> >> Considering that we are already in the transition freeze I suggest >> >> >> going with enabling bindnow for all architectures in dpkg and >> >> >> for

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

On Sat, Dec 17, 2016 at 09:20:40 +0100, Bálint Réczey wrote: > >> >> Considering that we are already in the transition freeze I suggest > >> >> going with enabling bindnow for all architectures in dpkg and > >> >> for Stretch+1 the responsibility of setting some hardening flags > >> >> could be

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

Hi Guillem, 2016-12-17 3:14 GMT+01:00 Guillem Jover : > On Wed, 2016-12-14 at 14:05:44 +0100, Bálint Réczey wrote: >> 2016-12-13 9:29 GMT+01:00 Bálint Réczey : >> > 2016-11-27 23:11 GMT+01:00 Bálint Réczey : >> >> 2016-11-23 2:30

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

On Wed, 2016-12-14 at 14:05:44 +0100, Bálint Réczey wrote: > 2016-12-13 9:29 GMT+01:00 Bálint Réczey : > > 2016-11-27 23:11 GMT+01:00 Bálint Réczey : > >> 2016-11-23 2:30 GMT+01:00 Guillem Jover : > >>> My mine concern is and has

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

On Wed, Dec 14, 2016 at 02:05:44PM +0100, Bálint Réczey wrote: > I have uploaded a dpkg NMU with bindnow enabled to DELAYED/10 > according to current NMU rules. If the Release Team increases the > severity of #835146 it can reach unstable earlier. Thanks! -- WBR, wRAR signature.asc

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

Hi All, 2016-12-13 9:29 GMT+01:00 Bálint Réczey : > Hi Guillem, > > 2016-11-27 23:11 GMT+01:00 Bálint Réczey : >> Hi Guillem, >> >> 2016-11-23 2:30 GMT+01:00 Guillem Jover : >>> Hi! >>> >>> This was discussed relatively recently,

Re: Re: [RFC] Enabling bindnow by default in dpkg-buildflags

It seems no one cares, there is no movement whatsoever. Why not just go forward and enable it in sid? Others have done and it worked, there has been sufficient testing in Ubuntu. In fact this was even simply enabled in GCC for a short period of time deliberately. I do not see the problem here.

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

Hi Guillem, 2016-11-27 23:11 GMT+01:00 Bálint Réczey : > Hi Guillem, > > 2016-11-23 2:30 GMT+01:00 Guillem Jover : >> Hi! >> >> This was discussed relatively recently, but it was not entirely clear >> to me what was the conclusion, if there was any(?),

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

Hi Guillem, 2016-11-23 2:30 GMT+01:00 Guillem Jover : > Hi! > > This was discussed relatively recently, but it was not entirely clear > to me what was the conclusion, if there was any(?), about enabling > bindnow by default. > > And although this got enabled by default in

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

On Wed, Nov 23, 2016 at 5:24 PM, Simon McVittie wrote: > (I'm not entirely sure why we consider hardening packaged code to be so > much more important than hardening the locally-built code compiled by > our users, which changed compiler defaults like those in Ubuntu > would also give us.) IIRC,

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

Simon McVittie writes: > (I'm not entirely sure why we consider hardening packaged code to be so > much more important than hardening the locally-built code compiled by > our users, which changed compiler defaults like those in Ubuntu > would also give us.) I think you might

Re: [RFC] Enabling bindnow by default in dpkg-buildflags?

On Wed, 23 Nov 2016 at 02:30:24 +0100, Guillem Jover wrote: > And although this got enabled by default in gcc-6 6.2.0-7 when PIE > also got enabled, it seems it got disabled in 6.2.0-10 when I pointed > out that enabling bindnow in gcc w/o enabling relro too didn't seem to > make much sense, but

[RFC] Enabling bindnow by default in dpkg-buildflags?

Hi! This was discussed relatively recently, but it was not entirely clear to me what was the conclusion, if there was any(?), about enabling bindnow by default. And although this got enabled by default in gcc-6 6.2.0-7 when PIE also got enabled, it seems it got disabled in 6.2.0-10 when I