> Two hardening features are not enabled by default: PIE and bindnow. > If your package supports PIE, you might want to consider enabling it. You should not blindly enable PIE, even if the package seems to support it. PIE can have runtime performance impacts up to 25% for some binaries on some architectures, so a package developer really should test builds, not just on ix86 architectures before enabling such a feature. I don't see that PIE is even recommended by the hardening team for general usage, so I don't know why the dpkg developers make such a recommendation at all. At least some members of the hardening team do know about these regressions, but I can't see these documented in some place. Having some security features enabled by default does have its merits, but if it comes with a price like that, it should be limited to chosen packages and architectures, not enabled by default. Matthias
Attachment:
signature.asc
Description: OpenPGP digital signature