[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from dpkg developers - dpkg 1.16.1

bertagaz@ptitcanardnoir.org wrote:

> On Fri, Sep 23, 2011 at 11:53:36AM +0200, Marco d'Itri wrote:
> > On Sep 23, Raphael Hertzog <hertzog@debian.org> wrote:
> > 
> > >   Two hardening features are not enabled by default: PIE and bindnow.
> > Why?
> I guess because they have more impact on performance than the others.


I think it would be better to enable all security-enhancing flags by
default (at least all of the included ones so far, which are fairly
well-tested). Yes, these two do have a larger potential to reduce
performance, but its also sufficiently straightforward to add
-pie,-bindnow to disable them. Thus, maintainers that do find
performance issues after adding the flags, can easily solve the problem
they've created.

As it stands now being a non-default setting, most packages will end up
not getting these protections, which I think is less desirable than
having most fully protected and only a small subset with reduced

Best wishes,

Reply to: