stdenv: Enable PIE by default

NixOS · Mar 30, 2024 · 35e7a1b · 35e7a1b
1 parent d7ece48
commit 35e7a1b
Showing 1 changed file with 2 additions and 6 deletions.
diff --git a/pkgs/build-support/bintools-wrapper/default.nix b/pkgs/build-support/bintools-wrapper/default.nix
@@ -45,14 +45,10 @@
     "stackprotector"
     "strictoverflow"
   ] ++ lib.optional (with stdenvNoCC;
-    # Musl-based platforms will keep "pie", other platforms will not.
-    # If you change this, make sure to update section `{#sec-hardening-in-nixpkgs}`
-    # in the nixpkgs manual to inform users about the defaults.
-    targetPlatform.libc == "musl"
-    # Except when:
+    # Always enable PIE except when using musl for:
     #    - static aarch64, where compilation works, but produces segfaulting dynamically linked binaries.
     #    - static armv7l, where compilation fails.
-    && !(targetPlatform.isAarch && targetPlatform.isStatic)
+    !(targetPlatform.libc == "musl" && targetPlatform.isAarch && targetPlatform.isStatic)
   ) "pie"
 
 # Darwin code signing support utilities