v2021.1: Mention enabling PIE by default in release notes

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>

v2021.1: Mention enabling PIE by default in release notes
Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>
1c9c1470 · Emanuele Aina · 85ae26db · 1c9c1470
Commit 1c9c1470 authored 3 years ago by Emanuele Aina
--- a/content/release/v2021.1/releasenotes.md
+++ b/content/release/v2021.1/releasenotes.md
@@ -78,10 +78,28 @@ small changes are appropriate for this release stream.
 This release includes the security updates from Debian Buster and the latest
 LTS Linux kernel on the 5.10.x series.

-## Deprecations and ABI/API breaks
+## Deprecations

-Being a point release, no new deprecations or ABI breaks are part of
-this release
+No new deprecations or ABI breaks are part of this release.
+
+## ABI/API breaks
+
+### Position Independent Executables are now the default in GCC
+
+During a security audit it was found that due to a limitation in the upstream
+Debian packaging rules in the `gcc` package the default was not to produce
+Position Independent Executables (PIE).
+
+With this release the default has been tweaked to ensure
+that the address space layout randomization (ASLR) technique can be effective
+in mitigating attacks.
+
+This is a pretty safe change, but may still cause unintended effects: affected
+packages can opt-out using `export DEB_BUILD_MAINT_OPTIONS=hardening=-pie` in
+their `debian/rules`.
+
+The archive has not been re-built yet to apply new default to all the binary
+packages, with the rebuild being scheduled for the v2021.2 release.

 ## Infrastructure