Re: Hardening build flags release goal

On Tue, Sep 06, 2011 at 04:01:04PM +0000, The Fungi wrote:
> On Mon, Sep 05, 2011 at 02:22:39PM -0700, Kees Cook wrote:
> [...]
> > It might be better to extend it further, like "all network daemons
> > using dpkg-buildflags properly and enabling PIE"
> [...]
> And since many network daemons are implemented in interpreted
> languages, it might be nice to include packaged interpreters in the
> list of candidates.

Yeah, that's a good idea. Ubuntu has a list of packages that were
specifically called out to build with PIE (and as a result are well-tested
by now):

One task I haven't had time to do, related to interpreters, is to benchmark
the python testsuite with PIE. A number of years ago, a 15% performance hit
on i386 (due to so few general registers). I'd really like to see the
numbers across all architectures. A future release goal, I think, would be
to build all of amd64 (and any other archs that don't see a big hit) with
PIE by default. Can someone step up to do this?


Kees Cook                                            @debian.org

