Profile 17.0

[mv]

[mv]

[eccerr0r]

That's the thing, without testing, we don't know for sure, plus I've been noticing constant slowdown on x86 on things that supposedly hasn't changed much. My specific concern is that programs like Firefox have already been growing so slow that it's already painful. Continually adding mere 1% performance hits here and there for whatever reason, it adds up.

I would imagine that the checks for the unix file permission system is much less than 1% as it only need to be checked when the resource is being used. On the other end of the spectrum, it's also not nearly as bad as if the kernel/cpu needs to trap and emulate frequently used instructions. To implement position independence on x86 it's somewhere in between, but it depends on the actual program to know where. It's several instructions to do the calculation - even if it averages one every 100 instructions, that gets that roughly 1% penalty. But it's good if gcc will try to avoid doing this if it doesn't need to.

If all that's needed is to simply add CFLAGS=-nopie to revert back to old behavior, that's fine. Or if this turns out to be a penalty of 0.1% or less without intervention, but there was a reason why this wasn't done by default a long time ago.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[tholin]

[tld]

With my x86 systems (especially my MythTV systems) I'm actually more concerned about the need to recompile everything than I am about the potential for a performance hit...though that's a bit of a concern as well.

Recompiling everything is a pretty huge deal on these systems. Even the recompile required for gcc 4 to 5 for the C++11 ABI was significant. The good news there was supposed to be that wasn't needed when going from gcc 5 to 6. Now suddently I find out I need to recompile everything...something I haven't had to do since going from gcc 3 to 4. MythTV unfortunately requires dev-qt/qtwebkit:5. That one package alone takes 7 hours to compile. Horrible. Especially if gcc 6 is even a little slower than previous versions that could take days on those systems (and maybe longer on this one as I have a lot more installed).

I suppose I could compile things niced and continue using the systems and hope for the best but this is pretty awful. I've yet to read anything that's convinced me it's really necessary.

EDIT: Just to clarify: I understand that a mix of pie and -pie is an issue...I just haven't seen anything that convinces me that using -pie globally would be.

Tom

[eccerr0r]

It very well be that we've already experiencing the performance loss by position independence, then. I have never used webkit based browsers on x86-32 but the firefox slowness has been around for a while among other programs simple programs that used to perform acceptably but no longer, even if it's due to code bloat instead of PI, but ultimately PI can only make things worse.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?

[dmpogo]

So gcc-5 is masked under 17.0 profile. Supposedly, to use it for some programs that need it (say it is the last version to support gcj), I need to umask it. However will it be able to generate working code, given that all the libraries are compiled with gcc-6 and +pie option ?

[The Doctor]

[tholin]

[The Doctor]

[MrCat]

It all went smooth for me, I even forgot about this pie stuff until today. In case anyone is a dumb as I'm, don't forget to @module-rebuild if you rebuild your kernel using the new profiles... you can imagine what happens if you don't.

[wjb]

@The Doctor
If its just needed to rebuild packages that install .a files, I think I have some python that will more or less do that. Take about an hour to bash into shape.

Its taken a day and a half to update the i7, and not looking forward to a full rebuild on the much slower laptop.

EDIT: https://github.com/wwjjbb/rebuild-static-libs

[NeddySeagoon]

wjb,

I think it wan mv who stated the same thing and gave a one liner.
I'll link to the post if I can find it.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[Sembiance]

[tld]

[Sembiance]

[dmpogo]

[dmpogo]

[krinn]

The real problem with PIE is that it doesn't protect from malware presence, it only try to make their life harder.
So where PIE would be a saver, well, it would be a real saver when someone is trying to find an hole in your system, which imply someone has access to that system.

And that is what is trouble me then: why PIE on everyone when PIE has specific usage.

When PIE would be of help out of malware: only when user have a weak user password allowing someone to use that account to execute program using that account searching a breach in memory.
This is really not typical use case of a "desktop" computer.

Of course user could have only 1 account, but weak password with it, that might be typical desktop case too, but really, do anyone think if someone has such computer configure to allow access to that user account with weak password, any attacker would had trouble because of PIE? Such bad setup might have way easier "legit" things already setup (lol at weak user password with ssh access and sudo without password because user is in wheel group : free root for everyone!)

So for me, PIE would be of help if you have many accounts and one might be weak and you fail at detecting the weak account, that's something seen on big server computer (because the number of users may bypass your vigilance) ; not really the typical desktop computer anyone use.

So it raise the question: if PIE have a speed impact (and it does, no need to quantify it, we all know it does), and PIE is gold with multi-users, why PIE on everyone per default?
Do you really need PIE on your NAS? on your personal fileserver? on your NFS server? on your desktop? on your DLNA server? ...
If all those case are only aim at YOUR own usage, you don't have internet ssh to them, because you typically don't need any, and they are all normally outside DMZ because they never provide anything to anyone on internet.
Why would my DLNA/NFS/sound streaming whatever personal computer for my own use have PIE enable then?

If i have a computer that do provide internet service (even as little as an ssh access), i might consider making it all PIE enable (well, you better use strong password, ssh-key only login, and a good firewall then PIE in real), but it still might make sense for me. But it's not really typical use case of a computer.
The idea is: if i have a door, even locked, then there is a door and maybe someone might open it. Once he is in, PIE will make his life harder, it's shitty he is in, but at least, i might see his presence while he battle against my programs that are all PIE).
I would also PIE a laptop computer if i move with it, connecting to insecure (anyway random) networks...

But profile 17.0 doesn't make any distinction, everyone must use PIE because, all programs must be secure ; for what? Prevent malware from using your computer as bot? (PIE doesn't prevent malware, it might make malware's life harder, it doesn't prevent you from having one), prevent someone using your computer when you have no internet entry? Oh, to prevent someone that have access to your keyboard to find a way to get root?

So PIE is a good feature in hardened profiles, because you should know if you have need for hardening your computer or not.
But it should remain like it was, a default option that make sense in hardened profiles, a stupid option to make default in non hardened profiles.
What's the next move: make mandatory kernel with selinux?

To cite someone:

[proteusx]

Here is what I did to migrate to profile 17.0 without PIE and without recompiling @world.

• I do not need PIE
  

  Code:

  echo "sys-devle/gcc pie" >> /etc/portage/profile/package.use.mask/profile-17.0.mask echo "*/* -pie" >> /etc/portage/package.use/global.use

  
  
  
• Unmask my current compiler sys-devl/gcc:5.4.0 (used by my cross compilers too).
  

  Code:

  echo "sys-devel/gcc:5.4.0" >> /etc/portage/package.unmask/profile-17.0.unmask

  
  
  
• I need pdftk which is masked in profile 17.0
  

  Code:

  echo "app-text/pdftk:0" >> /etc/portage/package.unmask/profile-17.0.unmask

  
  
  
• I need qtcore:4[icu] because I still use kde4.
  

  Code:

  echo "dev-qt/qtcore:4 -icu" >> /etc/portage/profile/package.use.mask/profile-17.0.mask

  
  
  
• Select the new profile and emerge world.
  

  Code:

  # eselect default/linux/amd64/17.0/desktop # emerge -DuNa world  --with-bdeps=y Nothing to merge; quitting.

  
  

Thus I can continue with the new profile as if nothing happened.
I post this in case it is useful to someone else.

[wjb]

[allistarM]

A rebuild of everything will take some time. Am I safe to use distcc for this when one of the build hosts is still on the 13.0 profile using gcc 5? If I switch to gcc 6.4 on all build hosts will that be sufficient or do I need to do this rebuild entirely on a single server? Is the PIE thing a compile time change or a prt of the linking process? If the latter then I expect distcc will be fine.

[mv]

[Hu]

[NeddySeagoon]

Hu,

What about adding -fpie to CFLAGS on the client?
That would pass -fpie no the helpers and pie code would arrive back.

Is that the right flag though, I think there is also a -fPIE?

I can see problems with those packages that set their own CFLAGS. The -fpie might get dropped.
Where its an internal gcc setting, that's not possible.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.