Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
> Has anyone checked 32-bit systems? "emerge -pv =sys-devel/gcc-6.3.0" > on a 2008 Core2duo 32-bit install (my GCC 6.3.0 testbed) shows "(-pie)". > I read that as the "pie" USE flag being hard-masked out. On my 64-bit > desktop, "pie" is the default. Yes, we are aware of this. Unfortunately, determining the course of action took a bit of time. Will be fixed with a small profile update within the next 24h. Best, Matthias
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
On Tue, May 09, 2017 at 06:58:42PM -0500, Matthias Maier wrote > This is a reworded news item (assuming we proceed with the plan to > default-enable USE=pie). Suggestions for improving the emerge command to > fix static archives is highly welcomed. > > Matthias > > > > Title: GCC 6 defaults to USE="pie ssp" > Author: Matthias Maier > Content-Type: text/plain > Posted: 2017-05-09 > Revision: 1 > News-Item-Format: 1.0 > Display-If-Installed: >=sys-devel/gcc-6.3.0 > > In Gentoo, several GCC features can be default disabled or enabled > via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already > enabled default SSP [1]. Since the PIE patchset for default position > independent executable support was integrated upstream [2,3], starting > with gcc-6.3 we are also enabling PIE by default (via a default-enabled > use-flag pie) in regular (non-hardened) profiles. Has anyone checked 32-bit systems? "emerge -pv =sys-devel/gcc-6.3.0" on a 2008 Core2duo 32-bit install (my GCC 6.3.0 testbed) shows "(-pie)". I read that as the "pie" USE flag being hard-masked out. On my 64-bit desktop, "pie" is the default. -- Walter Dnes I don't run "desktop environments"; I run useful applications
Re: New profiles for default-pie transition (was: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2)
On Wed, 10 May 2017 15:29:19 +0200 "Andreas K. Huettel" wrote: > * generate a new set of profiles 17.0 where it's package.use.forced > * tell people they may have to rebuild world when they switch Do we really need to rebuild world? From what I understand problems arise if we have packages installing static libraries that aren't built position independent. However that's only a small fraction of packages and we should be easily able to detect them. Can't we just provide a small script or bash oneliner that will rebuild all affected packages? (other than that I think the profile plan sounds reasonable) -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
New profiles for default-pie transition (was: Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2)
Am Mittwoch, 10. Mai 2017, 13:58:56 CEST schrieb Dirkjan Ochtman: > On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrand wrote: > > Sounds like a reasonable action plan. The consequences of such a change > > definitely seems to be sufficiently high to merit a proper migration > > plan which doesn't seem to have been established at this point. Whether > > that can be added to a later point with gcc6 (e.g by adding a new > > profile, or a later point release) I don't have strong opinions on, but > > there should be a plan and proper overview of the consequences. > > Yeah, I think I agree. From the discussions so far, I think that we > should definitely aim for making pie the default for everyone (on > arches where it makes sense), but doing it in the gcc-6 now which has > seen only a short period of testing so far seems a bit hasty based on > data from the messages that I've seen in these threads so far. Actually the idea I like best so far is Jason's profile suggestion. * package.use.mask gcc[pie] in the 13.0 profiles * generate a new set of profiles 17.0 where it's package.use.forced * tell people they may have to rebuild world when they switch -> This would also give us some time to discuss what other changes we might make with the transition to the new profiles. -> Also, this means the transition is independent of gcc release timing. (We just need to be careful since hardened also inherits 13.0, so the setting must be overridden there. As far as I can see that's already done there though.) -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, perl, libreoffice)
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
Mike Gilbert schrieb: I disagree. We might want to default the "pie" USE flag differently depending on the profile, but there's no need to force it. I think we should force the pie USE flag on/off depending on the profile. My proposal: For all profiles except hardened, introduce a pie/nopie variant. Deprecate the nopie profiles once enough packages build successfully (maybe request a tinderbox run?) In the profile depreciation message, point to a document how to migrate to pie. Setting pie default depending on GCC version is not a good idea IMO. Best regards, Chí-Thanh Christopher Nguyễn
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
On Wed, May 10, 2017 at 11:19 AM, Kristian Fiskerstrand wrote: > Sounds like a reasonable action plan. The consequences of such a change > definitely seems to be sufficiently high to merit a proper migration > plan which doesn't seem to have been established at this point. Whether > that can be added to a later point with gcc6 (e.g by adding a new > profile, or a later point release) I don't have strong opinions on, but > there should be a plan and proper overview of the consequences. Yeah, I think I agree. From the discussions so far, I think that we should definitely aim for making pie the default for everyone (on arches where it makes sense), but doing it in the gcc-6 now which has seen only a short period of testing so far seems a bit hasty based on data from the messages that I've seen in these threads so far. Cheers, Dirkjan
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Wed, 10 May 2017 09:23:04 +0200 Alexis Ballier wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1238804 (building perl with > pie seems to make some perl packages fail at runtime) If that's really the case, can we *not* do this right now? There's one thing Perl team don't need right now and that's an additional class of failure modes that can have widespread fallout by default. We quite have our hands full as it is. pgpm89xOBkH70.pgp Description: OpenPGP digital signature
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
On 05/10/2017 09:52 AM, Alexis Ballier wrote: > On Tue, 09 May 2017 18:58:42 -0500 > Matthias Maier wrote: > >> This is a reworded news item (assuming we proceed with the plan to >> default-enable USE=pie). Suggestions for improving the emerge command >> to fix static archives is highly welcomed. >> > > Really, I think the slot to have pie for gcc 6 has been missed by > default-enabling it only recently. We should aim for gcc 7 at least and > have proper testing. > > And add a few safety nets: A portage warning when installing non-pie > binaries, something that dies with FEATURES=strict or stricter, like > the textrel one we have. That is to avoid the quick n dirty > 'append-ldflags -no-pie' that makes the whole thing about forcing pie > questionable. If possible, detect static archives that have relocations > too. > > Ideally provide a system scanning tool for the above too. > > > After a few months of masked gcc7 like that we'll have enough data to > decide on a proper plan. It'll probably be good to get QA in the loop > and make this a QA goal too. > Sounds like a reasonable action plan. The consequences of such a change definitely seems to be sufficiently high to merit a proper migration plan which doesn't seem to have been established at this point. Whether that can be added to a later point with gcc6 (e.g by adding a new profile, or a later point release) I don't have strong opinions on, but there should be a plan and proper overview of the consequences. -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
On Tue, 09 May 2017 18:58:42 -0500 Matthias Maier wrote: > This is a reworded news item (assuming we proceed with the plan to > default-enable USE=pie). Suggestions for improving the emerge command > to fix static archives is highly welcomed. > Really, I think the slot to have pie for gcc 6 has been missed by default-enabling it only recently. We should aim for gcc 7 at least and have proper testing. And add a few safety nets: A portage warning when installing non-pie binaries, something that dies with FEATURES=strict or stricter, like the textrel one we have. That is to avoid the quick n dirty 'append-ldflags -no-pie' that makes the whole thing about forcing pie questionable. If possible, detect static archives that have relocations too. Ideally provide a system scanning tool for the above too. After a few months of masked gcc7 like that we'll have enough data to decide on a proper plan. It'll probably be good to get QA in the loop and make this a QA goal too.
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Tue, 09 May 2017 18:13:06 -0500 Matthias Maier wrote: > > For a transition we can probably build everything with -fPIE but not > > link with -pie. If we want that to happen fast, gcc-6 might do that > > and gcc-7 add the -pie option. > > I am not entirely convinced that a transition period of one gcc > version is enough for a smooth transition [1]. In theory, a transition period won't help. It'll probably mitigate the user issues by a lot though. Note that by being a source based rolling distro we're quite different than e.g. fedora rebuilding all their repo at each release. [...] > Related to that > > - for which architectures shall we unmask the use flag? Keep in mind that if the performance implications are almost inexistent for amd64, pie might have serious implications on other arches. x86 eating one register for pie/pic and lacking an easy way to write pic safe asm is a very well known problematic arch. Which raises the question: What happens for multilib amd64 ? [...] > [3] The fallout I currently see due to enabled USE=pie is noticeably > but by no stretch crazy bad. After all, static linkage is rarely used > (with the exception of some languages). After only a few days in ~arch and no tinderbox run I'd say that's pretty normal :) static linkage is more present than one would like though; and it's not only -static, but also libs that do not make sense or break when shared (libfl comes to mind) Alexis.
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Wed, 10 May 2017 01:40:36 +0200 "Andreas K. Huettel" wrote: > Am Mittwoch, 10. Mai 2017, 00:47:30 CEST schrieb Alexis Ballier: > > On Tue, 9 May 2017 23:18:20 +0200 Hanno Böck > > wrote: > > > I really think it's about time that pie becomes the default in > > > Gentoo. > > > > For a transition we can probably build everything with -fPIE but not > > link with -pie. If we want that to happen fast, gcc-6 might do that > > and gcc-7 add the -pie option. > > What do we gain by that? > > Wouldn't we need to rebuild all the static archives afterwards again > anyway, just to make sure they have been rebuilt? > yep we wouldn't gain much considering gcc unmasks timings, the idea was to have enough time to pass for the need to rebuild to be gone
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Wed, 10 May 2017 01:44:06 +0200 "Andreas K. Huettel" wrote: > > > > While I believe it might be a bit too early to default-enable pie, > > why not, but the news item *must* contain instructions that people > > should 'emerge -e world' in order for it to work. > > > > Also, I don't believe default-pie should even be a useflag. It's > > always been forced-on for hardened and forced-off for non-hardened > > I think. Switching between the two types of profiles has always > > been difficult because of that kind of differences. I strongly > > believe this should stay that way (that is: this cant be toggled by > > a simple useflag). > > Well... Hanno and Matthias said Gentoo is about the only place where > it isn't on by default. So why are we "early", and why not just force > it on for everybody? We're early because it has not been prepared. It has just been toggled to default on *after* unmasking gcc-6 without even a tinderbox run. We have no real idea of the fallout. As for Hanno's claim that others are doing it, well, I'd say that's a really good opportunity to have a look at their findings: Fedora (which did the emerge -e world thing): https://fedoraproject.org/wiki/Changes/Harden_All_Packages From the tracker: https://bugzilla.redhat.com/show_bug.cgi?id=1199775 We can find a few runtime failures: https://bugzilla.redhat.com/show_bug.cgi?id=956868 (no idea) https://bugzilla.redhat.com/show_bug.cgi?id=952946 (requires kernel 4.1+) https://bugzilla.redhat.com/show_bug.cgi?id=1238804 (building perl with pie seems to make some perl packages fail at runtime) https://bugzilla.redhat.com/show_bug.cgi?id=1228570 (mono borkage) Ubuntu: https://wiki.ubuntu.com/SteveBeattie/PIENotes https://launchpad.net/~sbeattie/+archive/ubuntu/gcc-pie-amd64/+build/8315122 (Qt checking type of an executable, which changes after enabling pie) https://debbugs.gnu.org/cgi/bugreport.cgi?bug=18780 (emacs segfaults with pie, has to use -no-pie) But probably the debian transition is the best to look for since they'd be the ones with closest release methodology as us (with testing/unstable): https://wiki.debian.org/Hardening/PIEByDefaultTransition The first test build finished with 1188 packages failing So, yes, I do believe we need a more serious plan to enable pie by default :) Alexis.
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Wed, May 10, 2017, at 00:07 CDT, Jason Zaman wrote: > I just want to make sure im understanding this right, only .a files that > were compiled without -pie will cause issues if you compile the later > thing that uses the .a with -pie? > So: > 1) people on hardened profiles are going to be fine no matter what? Yes. > 2) only packages that have .a files need to be rebuild? (not -e @world)? Essentially yes. (There might be one or two additional catches for languages with special linkage/libraries. For example, haskell packages have to force -no-pie - which they already do :-]) > 3) .a are static libs for compiling static binaries right, so nothing > will break at runtime from the change? only build failures? Yes. > I definitley think everyone on gentoo should have PIE and SSP by default > nowadays. Whats the status of -zrelro -znow on non-hardened? The essential difference between non-hardened and hardened is additional -fstack-protector-all -fstrict_overflow -znow on hardened. > This might be the kind of thing where a new set of profiles is a good > idea > 1) hardened would force the flags on, > 2) 13.0 non-hardened would force them off > 3) 17.0 non-hardened would force them on and people have to rebuild when > they change profiles *mhm* A profile update would also be an idea. > Im not sure how the timing of the new profile would work? only make them > once gcc-6 is stable so everyone does it at once? Best, Matthias
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Wed, May 10, 2017 at 01:44:06AM +0200, Andreas K. Huettel wrote: > Am Dienstag, 9. Mai 2017, 22:10:21 CEST schrieb Alexis Ballier: > > > > Do you realize that this breaks linking against about any static lib > > ever built before upgrading ? And I'm not even considering people > > toggling the flag. > > Toggling the flag is definitely bad. So it should be either on or off. > > > > > While I believe it might be a bit too early to default-enable pie, why > > not, but the news item *must* contain instructions that people should > > 'emerge -e world' in order for it to work. > > > > Also, I don't believe default-pie should even be a useflag. It's always > > been forced-on for hardened and forced-off for non-hardened I think. > > Switching between the two types of profiles has always been difficult > > because of that kind of differences. I strongly believe this should stay > > that way (that is: this cant be toggled by a simple useflag). > > > > Well... Hanno and Matthias said Gentoo is about the only place where it isn't > on by default. So why are we "early", and why not just force it on for > everybody? I just want to make sure im understanding this right, only .a files that were compiled without -pie will cause issues if you compile the later thing that uses the .a with -pie? So: 1) people on hardened profiles are going to be fine no matter what? 2) only packages that have .a files need to be rebuild? (not -e @world)? 3) .a are static libs for compiling static binaries right, so nothing will break at runtime from the change? only build failures? I definitley think everyone on gentoo should have PIE and SSP by default nowadays. Whats the status of -zrelro -znow on non-hardened? This might be the kind of thing where a new set of profiles is a good idea 1) hardened would force the flags on, 2) 13.0 non-hardened would force them off 3) 17.0 non-hardened would force them on and people have to rebuild when they change profiles Im not sure how the timing of the new profile would work? only make them once gcc-6 is stable so everyone does it at once? -- Jason
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp", v2
This is a reworded news item (assuming we proceed with the plan to default-enable USE=pie). Suggestions for improving the emerge command to fix static archives is highly welcomed. Matthias Title: GCC 6 defaults to USE="pie ssp" Author: Matthias Maier Content-Type: text/plain Posted: 2017-05-09 Revision: 1 News-Item-Format: 1.0 Display-If-Installed: >=sys-devel/gcc-6.3.0 In Gentoo, several GCC features can be default disabled or enabled via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have already enabled default SSP [1]. Since the PIE patchset for default position independent executable support was integrated upstream [2,3], starting with gcc-6.3 we are also enabling PIE by default (via a default-enabled use-flag pie) in regular (non-hardened) profiles. [Additionally, following Gentoo policies, the default-off use-flags nopie (only present in Hardened) and nossp are replaced starting with gcc-6 by default-on use-flags pie and ssp.] Be advised that switching from an older version to GCC 6 will enable the PIE feature by default. This should not cause many problems for packages involving shared libraries. However, static archives need to be rebuilt (otherwise final linkage will fail [4]. You can rebuild affected packages containing static archives via # emerge --exclude 'dev-haskell/*' -1 $(find /lib* /usr/lib* -type f -name "*.a") [1] https://www.gentoo.org/support/news-items/2014-06-15-gcc48_ssp.html [2] https://gcc.gnu.org/gcc-6/changes.html [3] A big thanks to all developers and members of the Gentoo community that made upstreaming the pie patchset and other hardening options possible! [4] A typical link error reads relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC signature.asc Description: PGP signature
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
Am Dienstag, 9. Mai 2017, 22:10:21 CEST schrieb Alexis Ballier: > > Do you realize that this breaks linking against about any static lib > ever built before upgrading ? And I'm not even considering people > toggling the flag. Toggling the flag is definitely bad. So it should be either on or off. > > While I believe it might be a bit too early to default-enable pie, why > not, but the news item *must* contain instructions that people should > 'emerge -e world' in order for it to work. > > Also, I don't believe default-pie should even be a useflag. It's always > been forced-on for hardened and forced-off for non-hardened I think. > Switching between the two types of profiles has always been difficult > because of that kind of differences. I strongly believe this should stay > that way (that is: this cant be toggled by a simple useflag). > Well... Hanno and Matthias said Gentoo is about the only place where it isn't on by default. So why are we "early", and why not just force it on for everybody? -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, perl, libreoffice) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
Am Mittwoch, 10. Mai 2017, 00:47:30 CEST schrieb Alexis Ballier: > On Tue, 9 May 2017 23:18:20 +0200 Hanno Böck wrote: > > I really think it's about time that pie becomes the default in Gentoo. > > For a transition we can probably build everything with -fPIE but not > link with -pie. If we want that to happen fast, gcc-6 might do that and > gcc-7 add the -pie option. What do we gain by that? Wouldn't we need to rebuild all the static archives afterwards again anyway, just to make sure they have been rebuilt? -- Andreas K. Hüttel dilfri...@gentoo.org Gentoo Linux developer (council, perl, libreoffice) signature.asc Description: This is a digitally signed message part.
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
> For a transition we can probably build everything with -fPIE but not > link with -pie. If we want that to happen fast, gcc-6 might do that and > gcc-7 add the -pie option. I am not entirely convinced that a transition period of one gcc version is enough for a smooth transition [1]. It might be better to go through a quick transition process that requires a world rebuild. - In particular we already forced everyone on ~amd64 to play beta tester in this regard [2,3]. Anyway the current use flag situation is a mess and has to be cleaned up asap. So, dos anyone recall why USE=pie was masked for >gcc-6.2 for everyone except amd64? Related to that - for which architectures shall we unmask the use flag? - shall we use.force a certain behavior per profile, or keep the flag unpinned? After having thought about the issue for a bit I still want to propose what we have already accidentally done - switch to USE=pie per default for gcc-6. Best, Matthias [1] Indeed *every* major linux distribution for which I have an lxc container has -pie enabled. If we decide on some slow transition we risk to be late to the party by quite a bit. [2] Which is extremely unfortunate. [3] The fallout I currently see due to enabled USE=pie is noticeably but by no stretch crazy bad. After all, static linkage is rarely used (with the exception of some languages). signature.asc Description: PGP signature
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Tue, 9 May 2017 23:18:20 +0200 Hanno Böck wrote: > Hi, > > On Tue, 09 May 2017 15:55:36 -0500 > Matthias Maier wrote: > > > Well, Alexis certainly makes a strong point. Breaking installed > > static archives by changing a use flag shouldn't be as easy as > > changing a useflag. So we might simply use.force the pie use flag > > depending on hardened/non-hardened profiles. > > While I understand that enabling pie requires some more planning to > avoid breakage, I hope this is not the final solution we aim for. I > really think it's about time that pie becomes the default in Gentoo. For a transition we can probably build everything with -fPIE but not link with -pie. If we want that to happen fast, gcc-6 might do that and gcc-7 add the -pie option. Alexis.
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
Hi, On Tue, 09 May 2017 15:55:36 -0500 Matthias Maier wrote: > Well, Alexis certainly makes a strong point. Breaking installed static > archives by changing a use flag shouldn't be as easy as changing a > useflag. So we might simply use.force the pie use flag depending on > hardened/non-hardened profiles. While I understand that enabling pie requires some more planning to avoid breakage, I hope this is not the final solution we aim for. I really think it's about time that pie becomes the default in Gentoo. pie is required for working ASLR, which almost every other OS out there has these days. In recent years also Fedora, Ubuntu and lately Debian switched it on by default. I really think this should be a default security setting, not something that only lives in hardened. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Tue, May 9, 2017, at 15:10 CDT, Alexis Ballier wrote: > There is a *huge* difference between: > Disable PIE support (NOT FOR GENERAL USE) > and the negation of: > pie - Build programs as Position Independent Executables (a security > hardening technique) > > Enabling the latter builds *everything* as PIE. Yes. > Do you realize that this breaks linking against about any static lib > ever built before upgrading ? And I'm not even considering people > toggling the flag. Yes, I am aware of this. On Tue, May 9, 2017, at 15:27 CDT, Mike Gilbert wrote: > I disagree. We might want to default the "pie" USE flag differently > depending on the profile, but there's no need to force it. Well, Alexis certainly makes a strong point. Breaking installed static archives by changing a use flag shouldn't be as easy as changing a useflag. So we might simply use.force the pie use flag depending on hardened/non-hardened profiles. I'll follow up with a proposed profile change forcing -pie for non hardened and pie for hardened profiles (instead of this news item). I have one question, though: For what arches do we have to disable pie? (The current patchset simply enables all.) Best, Matthias
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Tue, May 9, 2017 at 4:10 PM, Alexis Ballier wrote: > Also, I don't believe default-pie should even be a useflag. It's always > been forced-on for hardened and forced-off for non-hardened I think. > Switching between the two types of profiles has always been difficult > because of that kind of differences. I strongly believe this should stay > that way (that is: this cant be toggled by a simple useflag). I disagree. We might want to default the "pie" USE flag differently depending on the profile, but there's no need to force it.
Re: [gentoo-dev] [RFC] News item: GCC 6 defaults to USE="pie ssp"
On Tue, 09 May 2017 12:26:48 -0500 Matthias Maier wrote: > Title: GCC 6 defaults to USE="pie ssp" > Author: Matthias Maier > Content-Type: text/plain > Posted: 2017-05-07 > Revision: 1 > News-Item-Format: 1.0 > Display-If-Installed: >=sys-devel/gcc-6.3.0 > Display-If-Keyword: amd64 > > In Gentoo, several GCC features can be default disabled or enabled > via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have > already enabled default SSP [1]. Since the PIE patchset for default > position independent executable support was integrated upstream > [2,3], starting with gcc-6.3 we are also enabling PIE by default (via > a default-enabled use-flag pie) in regular (non-hardened) profiles. > > [Additionally, following Gentoo policies, the default-off use-flags > nopie (only present in Hardened) and nossp are replaced starting with > gcc-6 by default-on use-flags pie and ssp.] There is a *huge* difference between: Disable PIE support (NOT FOR GENERAL USE) and the negation of: pie - Build programs as Position Independent Executables (a security hardening technique) Enabling the latter builds *everything* as PIE. > Be advised that switching from an older version to GCC 6 will enable > the PIE feature by default. This should not cause many problems, but > it may be necessary to recompile parts of your userland. An indicator > are linker errors of the form [4] Do you realize that this breaks linking against about any static lib ever built before upgrading ? And I'm not even considering people toggling the flag. While I believe it might be a bit too early to default-enable pie, why not, but the news item *must* contain instructions that people should 'emerge -e world' in order for it to work. Also, I don't believe default-pie should even be a useflag. It's always been forced-on for hardened and forced-off for non-hardened I think. Switching between the two types of profiles has always been difficult because of that kind of differences. I strongly believe this should stay that way (that is: this cant be toggled by a simple useflag). Bests, Alexis.