GCC and Dpkg from Stretch could enable compiling executables with PIE and bindnow enabled by default on amd64 and some other architectures.

This page is intended to provide help in fixing related bugs and to track the progress.

The plan is making changes to GCC and dpkg to generate PIE enabled executables by default on selected architectures and also enable the bindnow hardening setting for all architectures. The latter change can be done independently but doing those together can save an archive-wide rebuild.

Call for porters to opt-in for PIE

The proposed patches for GCC (#835148) and dpkg (#835146, #835149) are submitted to BTS.

The first test build finished with 1188 packages failing: https://lists.debian.org/debian-devel/2016/08/msg00620.html

Updating the patches decreased the number to 1036, with more than 700 being Haskell-related: https://lists.debian.org/debian-devel/2016/09/msg00180.html

Ubuntu and other distributions have already done a similar transition and recorded their experience:

https://wiki.ubuntu.com/SecurityTeam/PIE

https://wiki.ubuntu.com/SteveBeattie/PIENotes