GCC and Dpkg from Stretch could enable compiling executables with PIE and bindnow enabled by default on amd64 and some other architectures.

This page is intended to provide help in fixing related bugs and to track the progress.

The plan is making changes to GCC and dpkg to generate PIE enabled executables by default on selected architectures and also enable the bindnow hardening setting for all architectures. The latter change can be done independently but doing those together can save an archive-wide rebuild.

Call for porters to opt-in for PIE

The proposed patches for GCC (#835148) and dpkg (#835146, #835149) are submitted to BTS.

Patched GCC 6 and dpkg are available for testing fixes:

sbuild -As -j1 --arch=amd64 -d unstable  --extra-repository="deb https://people.debian.org/~rbalint/ppa/pie-bindnow pie-bindnow-unstable/" my-package_*.dsc

The first test build finished with 1188 packages failing: https://lists.debian.org/debian-devel/2016/08/msg00620.html

Updating the patches decreased the number to 1036, with more than 700 being Haskell-related: https://lists.debian.org/debian-devel/2016/09/msg00180.html

Ubuntu and other distributions have already done a similar transition and recorded their experience:

https://wiki.ubuntu.com/SecurityTeam/PIE

https://wiki.ubuntu.com/SteveBeattie/PIENotes

https://wiki.gentoo.org/wiki/Hardened/Position_Independent_Code_internals

https://wiki.gentoo.org/wiki/Hardened/Introduction_to_Position_Independent_Code

Bugs found in the first rebuild: tag=pie-bindnow-20160906

Many FTBFS bugs can be solved by binNMU-s without changing the source package. Those bugs are titled accordingly.

In the rest of the cases Ubuntu patches typically pass -no-pie to the compiler only on architectures where PIE is used by default. In Debian (unstable) it is usually safe to pass -fno-pie on all architectures, because GCC 6 and even older GCC-s accept it without emitting error.

There is a proposed change to the Policy to allow PIC in static libraries, but it may be rejected: #837478

Some packages changed the shipped static libraries to PIC, which also fixed building reverse dependencies with PIE. This took place according to the current Policy which permits the change given a discussion on debian-devel took place.