[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from dpkg developers - dpkg 1.16.1

On Sep 23, Raphael Hertzog <hertzog@debian.org> wrote:

>   Two hardening features are not enabled by default: PIE and bindnow.

>   If your package supports PIE, you might want to consider enabling it.
>   If the binaries are long running processes like daemons, and as such
>   the startup performance penalty of “bindnow” is acceptable, it might
>   be a good idea to enable it too but only if relro is in effect,
>   although another option might be to just define LD_BIND_NOW=1 on the
>   daemon's environment (for example in the init.d script), in which case
>   the sysadmin can always disable it, something that's not possible with
>   the build option.
I believe that developers would benefit from more detailed
In other words, just say clearly who should enable these features (and


Attachment: signature.asc
Description: Digital signature

Reply to: