Re: Bits from dpkg developers - dpkg 1.16.1
bertagaz@ptitcanardnoir.org wrote:
> On Fri, Sep 23, 2011 at 11:53:36AM +0200, Marco d'Itri wrote:
> > On Sep 23, Raphael Hertzog <hertzog@debian.org> wrote:
> >
> > > Two hardening features are not enabled by default: PIE and bindnow.
> > Why?
>
> I guess because they have more impact on performance than the others.
Hi,
I think it would be better to enable all security-enhancing flags by
default (at least all of the included ones so far, which are fairly
well-tested). Yes, these two do have a larger potential to reduce
performance, but its also sufficiently straightforward to add
-pie,-bindnow to disable them. Thus, maintainers that do find
performance issues after adding the flags, can easily solve the problem
they've created.
As it stands now being a non-default setting, most packages will end up
not getting these protections, which I think is less desirable than
having most fully protected and only a small subset with reduced
protections.
Best wishes,
Mike
Reply to: