Re: Switch on compiler hardening defaults
On Thu, 24 Dec 2009, Kees Cook wrote:
With the new package, the arch-specific logic for hardening defaults
is in one place, and a maintainer can selectively disable anything they
don't want on by default.
This might be a good compromise to get network services hardened
without changing the default build system. Is there a plan for which
That's certainly a viable plan. This is kind of the approach we took in
Ubuntu for the PIE feature. We also considered packages with a less than
stellar security history. The list of packages built with PIE in Ubuntu
is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE )
amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
ipsec-tools mysql-dfsg-5.1 nagios3 nagios-plugins ntp openbsd-inetd
openldap openssh postfix postgreqsl-8.3 samba sendmail squid wireshark
The problem with PIE is that it is not supported by Debian's gdb
(#346409). That's why I disabled it again for apache2.
IIRC, there were also some apps (python?) that have performance problems
with PIE. Therefore, PIE should not be switched on by default yet.
For the other options, I agree.