Re: Enabling PKGSRC_MKPIE by default

[Hauke Fath <hauke%Espresso.Rhein-Neckar.DE@localhost>]

At 16:54 Uhr +0200 28.10.2017, Pierre Pronchery wrote:
>> A quick grep of PIE in pkgsrc/doc/pkgsrc.txt turns up nothing.  SSP and
>> FORTIFY are similarly undocumented.  There was perhaps a notion that the
>
>Sorry, I wasn't aware that these should be documented in there.

Where else, please?

>I have documented them in mk/defaults/mk.conf

When a package I maintain failed with symptoms I have never seen, and which
vaguely point in the direction of "toolchain" - would I look into
"mk/defaults/mk.conf" for help? Would you?

> and on the wiki at
>https://wiki.netbsd.org/pkgsrc/hardening/. I am still planning on
>improving this wiki page, on which you gave me useful feedback already.

And you announced existence and relevance of that wiki page - where?

When the addition of FORTIFY broke several packages of my build, I stared
bewildered at the error, then googled the message. If the change and its
possible ramifications had been announced on tech-pkg, my search would have
ended there. It didn't, and it did not end in pkgsrc.txt, either.
Eventually, somebody else's report of a broken build pointed me towards
FORTIFY, but still there was no explanation nor details on how to mitigate
the fault.

This change must have created needless additional work for dozens of
package maintainers, who do not necessarily follow pkgsrc-changes daily.
While pkgsrc is generally weak on documentation, global changes have in the
past been explained, discussed, announced in a more clear and transparent
way than here.

Cheerio,
Hauke


--
"It's never straight up and down"     (DEVO)