I do believe pie is explicitly disabled when building Python 3.6. Using hardening-check on Ubuntu Bionic (from the devscripts package):
$ hardening-check /usr/bin/python3 /usr/bin/python3: Position Independent Executable: no, normal executable! Stack protected: yes Fortify Source functions: yes (some protected functions found) Read-only relocations: yes Immediate binding: no, not found!
Also from debian/rules in http://archive.ubuntu.com/ubuntu/pool/main/p/python3.6/python3.6_3.6.5-3.debian.tar.xz:
export DEB_BUILD_MAINT_OPTIONS=hardening=-pie
According to http://manpages.ubuntu.com/manpages/bionic/man1/dpkg-buildflags.1.html this syntax disables pie - it should be "+pie", and is enabled by default on Bionic:
$ dpkg-buildflags --status dpkg-buildflags: status: vendor is Ubuntu dpkg-buildflags: status: future features: lfs=no dpkg-buildflags: status: hardening features: bindnow=no format=yes fortify=yes pie=yes relro=yes stackprotector=yes stackprotectorstrong=yes dpkg-buildflags: status: qa features: bug=no canary=no dpkg-buildflags: status: reproducible features: fixdebugpath=yes timeless=yes dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no ...
with the environment variable set: $ DEB_BUILD_MAINT_OPTIONS=hardening=-pie dpkg-buildflags --status dpkg-buildflags: status: environment variable DEB_BUILD_MAINT_OPTIONS=hardening=-pie dpkg-buildflags: status: vendor is Ubuntu dpkg-buildflags: status: future features: lfs=no dpkg-buildflags: status: hardening features: bindnow=no format=yes fortify=yes pie=no relro=yes stackprotector=yes stackprotectorstrong=yes dpkg-buildflags: status: qa features: bug=no canary=no dpkg-buildflags: status: reproducible features: fixdebugpath=yes timeless=yes dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no ...
I do believe pie is explicitly disabled when building Python 3.6. Using hardening-check on Ubuntu Bionic (from the devscripts package):
$ hardening-check /usr/bin/python3
/usr/bin/python3:
Position Independent Executable: no, normal executable!
Stack protected: yes
Fortify Source functions: yes (some protected functions found)
Read-only relocations: yes
Immediate binding: no, not found!
Also from debian/rules in http:// archive. ubuntu. com/ubuntu/ pool/main/ p/python3. 6/python3. 6_3.6.5- 3.debian. tar.xz:
export DEB_BUILD_ MAINT_OPTIONS= hardening= -pie
According to http:// manpages. ubuntu. com/manpages/ bionic/ man1/dpkg- buildflags. 1.html this syntax disables pie - it should be "+pie", and is enabled by default on Bionic:
$ dpkg-buildflags --status trong=yes
dpkg-buildflags: status: vendor is Ubuntu
dpkg-buildflags: status: future features: lfs=no
dpkg-buildflags: status: hardening features: bindnow=no format=yes fortify=yes pie=yes relro=yes stackprotector=yes stackprotectors
dpkg-buildflags: status: qa features: bug=no canary=no
dpkg-buildflags: status: reproducible features: fixdebugpath=yes timeless=yes
dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no
...
with the environment variable set: MAINT_OPTIONS= hardening= -pie dpkg-buildflags --status MAINT_OPTIONS= hardening= -pie trong=yes
$ DEB_BUILD_
dpkg-buildflags: status: environment variable DEB_BUILD_
dpkg-buildflags: status: vendor is Ubuntu
dpkg-buildflags: status: future features: lfs=no
dpkg-buildflags: status: hardening features: bindnow=no format=yes fortify=yes pie=no relro=yes stackprotector=yes stackprotectors
dpkg-buildflags: status: qa features: bug=no canary=no
dpkg-buildflags: status: reproducible features: fixdebugpath=yes timeless=yes
dpkg-buildflags: status: sanitize features: address=no leak=no thread=no undefined=no
...