Hello, On 30 August 2016 at 23:07, Lucas Nussbaum <lu...@debian.org> wrote: > On 22/08/16 at 19:12 +0200, Bálint Réczey wrote: >> Hi Guillem, >> >> 2016-08-21 14:02 GMT+02:00 Guillem Jover <guil...@debian.org>: >> > Hi! >> > >> > On Sun, 2016-08-21 at 10:24:42 +0200, Bálint Réczey wrote: >> >> I'm testing a set of patches [2] for gcc and dpkg which enable bindnow >> >> for all >> >> arches and PIE for amd64, ppc64el and s390x in sync with Ubuntu. >> >> >> >> My assumption was that this set of architectures need the least amount of >> >> additional work since they are tested already in Ubuntu, but I would be >> >> happy >> >> if more ports would opt in for PIE. >> >> >> >> I plan filing wishlist bugs against dpkg and gcc with the patches >> >> after I rebuilt a >> >> few packages with the defaults. >> > >> > TBH I think PIE should in fact be safer to enable globally than >> > bindnow, because the latter changes the run-time behavior and things >> > might break (perhaps even silently) when failing to load plugins >> > or similar. >> >> Yes, in that sense enabling PIE is safer indeed. Regarding bindnow >> I don't expect too many surprises either, since other distributions >> already tested enabling bindnow and probably they found >> most issues. >> >> > >> > From dpkg PoV enabling both, would at least require a full-archive >> > rebuild, for bindnow ideally also a full autopkgtest run (as the >> > updated dpkg FAQ states now, after Lucas Nussbaum approached me some >> > weeks ago mentioning he was willing to do such archive-wide rebuild). >> >> The patches at [2] seem to work well and since you expressed that you would >> prefer changing both toolchain and dpkg, too, I would like to suggest running >> the rebuild with those patches. >> >> I think Matthias would be OK with the patch since it is very small and brings >> Debian's gcc closer to Ubuntu's. >> >> Lucas, could you please run the rebuild with the three patches? > > Hi, > > Results are available at > https://people.debian.org/~lucas/logs/2016/08/30/pie-bindnow-20160830/ > > I did a full rebuild with bindnow and PIE enabled, then rebuilt all > failed packages with a pristine unstable chroot. > > You can take a look at > https://people.debian.org/~lucas/logs/2016/08/30/pie-bindnow-20160830/diff.txt > and grep for "OK Failed" (failed with PIE+bindnow, built fine in > unstable). (There are 1188 packages failing to build) > > Logs for both builds are available in the respective subdirectories. > > Lucas >
Are you sure these are correct? The numbers for PIE+bindnow are a lot higher than what we see in Ubuntu, for same unmodified packages. E.g. looking at http://qa.ubuntuwire.org/ftbfs/ amd64/ppc64el/s390x have PIE+bindnow enabled, and i386/armhf/arm64/powerpc do not. here is nothing in the thousands range. There might be a dozen packages with PIE+bindnow fixes in ubuntu, that's not in debian, but that amount cannot be more than a dozen or two. Looking at e.g. ace buildlog the PIE+bindnow has this: -fno-PIE -no-pie -Wl,-z,relro -Wl,-z,now Which is bindnow without pie, instead of with pie. And same ace build fine in Ubuntu, with PIE+bindnow on the relevant arches. https://launchpad.net/ubuntu/+source/ace/6.3.3+dfsg-1.1 -- Regards, Dimitri.