>>>>> "Guillem" == Guillem Jover <guil...@debian.org> writes: >> I agree that it would be the easier way and I also tried building >> packages with patched GCC 5 setting PIE as default with success, >> but we have a CTTE decision which says that we should set >> hardening flags through dpkg: >> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552688
Guillem> Meh, I'm not going to bother reading that bug report, but Guillem> if that's what the decision really says, then that decision Guillem> is just bogus… So, first, the TC didn't actually make a formal decision. The gcc maintainer didn't like changing the compiler defaults; dpkg-buildflags had gotten enough traction that it seemed to be a sufficient solution, so the bug was closed with a specific note that any interested party could reopen. However, I think there are several factors that are different in this situation: * A big concern was introducing new warnings in environments where -Werror was in use. That is something we sadly have a fair bit of experience fixing (-Wuninitialized springs to mind) since the time of that bug, and that seems not to apply to PIE * More concerns about cases where the behavior would be wrong than seem to apply here. Regardless of where you make the change you'll break some packages. That happens though; both gcc and dpkg-dev have gotten more strict abouv various behaviors in ways that break packages within recent memory. So, I think there's some good reading in the TC bug about the proes and cons of various approaches, but not all of it applies, and there is a bit of flame to wade through mixed in with some generally well-thought discussion. That bug definitely should not be considered binding in general, but definitely not in this environment. --Sam