GCC and Dpkg from Stretch could enable compiling executables with PIE and bindnow enabled by default on amd64 and some other architectures.
This page is intended to provide help in fixing related bugs and to track the progress.
The plan is making changes to GCC and dpkg to generate PIE enabled executables by default on selected architectures and also enable the bindnow hardening setting for all architectures. The latter change can be done independently but doing those together can save an archive-wide rebuild.
Call for porters to opt-in for PIE
The proposed patches for GCC (#835148) and dpkg (#835146, #835149) are submitted to BTS.
Patched GCC 6 and dpkg are available for testing fixes:
sbuild -As -j1 --arch=amd64 -d unstable --extra-repository="deb https://people.debian.org/~rbalint/ppa/pie-bindnow pie-bindnow-unstable/" my-package_*.dsc
The first test build finished with 1188 packages failing: https://lists.debian.org/debian-devel/2016/08/msg00620.html
Updating the patches decreased the number to 1036, with more than 700 being Haskell-related: https://lists.debian.org/debian-devel/2016/09/msg00180.html
Ubuntu and other distributions have already done a similar transition and recorded their experience:
https://wiki.ubuntu.com/SecurityTeam/PIE
https://wiki.ubuntu.com/SteveBeattie/PIENotes
https://wiki.gentoo.org/wiki/Hardened/Position_Independent_Code_internals
https://wiki.gentoo.org/wiki/Hardened/Introduction_to_Position_Independent_Code
Bugs found in the first rebuild: tag=pie-bindnow-20160906
Many FTBFS bugs can be solved by binNMU-s without changing the source package. Those bugs are titled accordingly.
In the rest of the cases Ubuntu patches typically pass -no-pie to the compiler only on architectures where PIE is used by default. In Debian (unstable) it is usually safe to pass -fno-pie on all architectures, because GCC 6 and even older GCC-s accept it without emitting error.
There is a proposed change to the Policy to allow PIC in static libraries, but it may be rejected: #837478
Some packages changed the shipped static libraries to PIC, which also fixed building reverse dependencies with PIE. This took place according to the current Policy which permits the change given a discussion on debian-devel took place.