On Sep 23, Raphael Hertzog <hertzog@debian.org> wrote: > Two hardening features are not enabled by default: PIE and bindnow. Why? > If your package supports PIE, you might want to consider enabling it. > If the binaries are long running processes like daemons, and as such > the startup performance penalty of “bindnow” is acceptable, it might > be a good idea to enable it too but only if relro is in effect, > although another option might be to just define LD_BIND_NOW=1 on the > daemon's environment (for example in the init.d script), in which case > the sysadmin can always disable it, something that's not possible with > the build option. I believe that developers would benefit from more detailed recommendations. In other words, just say clearly who should enable these features (and why). -- ciao, Marco
Attachment:
signature.asc
Description: Digital signature