Re: state of security hardening build flag efforts
On Sun, Apr 01, 2012 at 11:29:42AM -0700, Kees Cook wrote:
> Note that the default flags in both Ubuntu and Debian lack PIE (where
> as Gentoo's hardening patchset includes PIE by default). The Debian
> hardening documentation has encouraged maintainers to enable PIE too
> if they have a sensitive package (daemons, media processors, browsers,
> interpreters, etc), so it's not totally absent.
I think enabling PIE via dpkg-buildflags greatly depends on the
build infrastructure, which might be why it's not always easy for
people to enable it.
However, I wonder why bindnow isn't on by default. I thought we had
a discussion about this, and didn't really see any negative
performance from that?