[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: state of security hardening build flag efforts

On Sun, Apr 01, 2012 at 11:29:42AM -0700, Kees Cook wrote:
> Note that the default flags in both Ubuntu and Debian lack PIE (where
> as Gentoo's hardening patchset includes PIE by default). The Debian
> hardening documentation has encouraged maintainers to enable PIE too
> if they have a sensitive package (daemons, media processors, browsers,
> interpreters, etc), so it's not totally absent.

I think enabling PIE via dpkg-buildflags greatly depends on the
build infrastructure, which might be why it's not always easy for
people to enable it.

However, I wonder why bindnow isn't on by default.  I thought we had
a discussion about this, and didn't really see any negative
performance from that?


Reply to: