On Thu, 24 Dec 2009, Kees Cook wrote:
With the new package, the arch-specific logic for hardening defaults is in one place, and a maintainer can selectively disable anything they don't want on by default.This might be a good compromise to get network services hardened without changing the default build system. Is there a plan for whichThat's certainly a viable plan. This is kind of the approach we took in Ubuntu for the PIE feature. We also considered packages with a less than stellar security history. The list of packages built with PIE in Ubuntu is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE ) amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4 ipsec-tools mysql-dfsg-5.1 nagios3 nagios-plugins ntp openbsd-inetd openldap openssh postfix postgreqsl-8.3 samba sendmail squid wireshark xinetd
The problem with PIE is that it is not supported by Debian's gdb (#346409). That's why I disabled it again for apache2.
IIRC, there were also some apps (python?) that have performance problems with PIE. Therefore, PIE should not be switched on by default yet.
For the other options, I agree.