Re: Bits from dpkg developers - dpkg 1.16.1
On Fri, Sep 23, 2011 at 08:17:54AM +0200, Raphael Hertzog wrote:
> Two hardening features are not enabled by default: PIE and bindnow.
> If your package supports PIE, you might want to consider enabling it.
> If the binaries are long running processes like daemons, and as such
> the startup performance penalty of “bindnow” is acceptable, it might
> be a good idea to enable it too but only if relro is in effect,
> although another option might be to just define LD_BIND_NOW=1 on the
> daemon's environment (for example in the init.d script), in which case
> the sysadmin can always disable it, something that's not possible with
> the build option.
Just to be explicit, PIE tends to have small (<1%) performance hits on
register-starved architectures (i386) in most cases, for for certain work
loads (e.g. python) the hit is large (~15%). On architectures with plenty
of registers (amd64) there's virtually no measurable performance hit that
If your package handles 3rd party data of any kind (renders, network
daemons, file parsers, etc), I strongly recommend enabling PIE.
And, if you enable PIE, please enable bindnow too. The start-up
performance hit of bindnow isn't measurable on most architectures. Some
much slower ones can see problems (early ARM).
It's possible that PIE and/or bindnow may be enabled by default for certain
architectures in the future.
If your package is using hardening-wrapper or hardening-includes, you were
effectively using "+pie,+bindnow", so when converting, please continue to
build with PIE and bindnow. :)
Kees Cook @debian.org