Re: Bits from dpkg developers - dpkg 1.16.1
On Fri, Sep 23, 2011 at 11:53:36AM +0200, Marco d'Itri wrote:
> On Sep 23, Raphael Hertzog <email@example.com> wrote:
> > Two hardening features are not enabled by default: PIE and bindnow.
I guess because they have more impact on performance than the others.
> > If your package supports PIE, you might want to consider enabling it.
> > If the binaries are long running processes like daemons, and as such
> > the startup performance penalty of “bindnow” is acceptable, it might
> > be a good idea to enable it too but only if relro is in effect,
> > although another option might be to just define LD_BIND_NOW=1 on the
> > daemon's environment (for example in the init.d script), in which case
> > the sysadmin can always disable it, something that's not possible with
> > the build option.
> I believe that developers would benefit from more detailed
> In other words, just say clearly who should enable these features (and
It has already been discussed here, and there are already pages describing
it and people commited to help in this goal being reach for the next release.