[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from dpkg developers - dpkg 1.16.1

On Sun, Sep 25, 2011 at 5:11 AM, Michael Gilbert wrote:

> I think it would be better to enable all security-enhancing flags by
> default (at least all of the included ones so far, which are fairly
> well-tested). Yes, these two do have a larger potential to reduce
> performance, but its also sufficiently straightforward to add
> -pie,-bindnow to disable them. Thus, maintainers that do find
> performance issues after adding the flags, can easily solve the problem
> they've created.

IIRC the Debian GCC maintainer did not want to enable these
security-enhancing flags. The only way to get these flags enabled by
default would be to talk with GCC upstream and hope that the Debian
GCC maintainer does not disable them.

> As it stands now being a non-default setting, most packages will end up
> not getting these protections, which I think is less desirable than
> having most fully protected and only a small subset with reduced
> protections.




Reply to: