Re: Bits from dpkg developers - dpkg 1.16.1
On Sun, Sep 25, 2011 at 5:11 AM, Michael Gilbert wrote:
> I think it would be better to enable all security-enhancing flags by
> default (at least all of the included ones so far, which are fairly
> well-tested). Yes, these two do have a larger potential to reduce
> performance, but its also sufficiently straightforward to add
> -pie,-bindnow to disable them. Thus, maintainers that do find
> performance issues after adding the flags, can easily solve the problem
> they've created.
IIRC the Debian GCC maintainer did not want to enable these
security-enhancing flags. The only way to get these flags enabled by
default would be to talk with GCC upstream and hope that the Debian
GCC maintainer does not disable them.
> As it stands now being a non-default setting, most packages will end up
> not getting these protections, which I think is less desirable than
> having most fully protected and only a small subset with reduced