Re: state of security hardening build flag efforts

To: Kees Cook <kees@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: state of security hardening build flag efforts
From: Kurt Roeckx <kurt@roeckx.be>
Date: Sat, 7 Apr 2012 02:17:21 +0200
Message-id: <[🔎] 20120407001721.GA26789@roeckx.be>
In-reply-to: <[🔎] 20120401182941.GM8020@outflux.net>
References: <[🔎] 20120401074937.GJ8020@outflux.net> <[🔎] CAKTje6F-9v=rQ7_ki5GFtGNn9DsizSADZQwvh_jSC=C6XCnuXQ@mail.gmail.com> <[🔎] 20120401182941.GM8020@outflux.net>

On Sun, Apr 01, 2012 at 11:29:42AM -0700, Kees Cook wrote:
> Note that the default flags in both Ubuntu and Debian lack PIE (where
> as Gentoo's hardening patchset includes PIE by default). The Debian
> hardening documentation has encouraged maintainers to enable PIE too
> if they have a sensitive package (daemons, media processors, browsers,
> interpreters, etc), so it's not totally absent.

I think enabling PIE via dpkg-buildflags greatly depends on the
build infrastructure, which might be why it's not always easy for
people to enable it.

However, I wonder why bindnow isn't on by default.  I thought we had
a discussion about this, and didn't really see any negative
performance from that?

Kurt

Reply to:

Follow-Ups:
- Re: state of security hardening build flag efforts
  - From: Julien Cristau <jcristau@debian.org>

References:
- state of security hardening build flag efforts
  - From: Kees Cook <kees@debian.org>
- Re: state of security hardening build flag efforts
  - From: Paul Wise <pabs@debian.org>
- Re: state of security hardening build flag efforts
  - From: Kees Cook <kees@debian.org>

Prev by Date: Re: state of security hardening build flag efforts
Next by Date: provide the information of led for you __ztlights
Previous by thread: Re: state of security hardening build flag efforts
Next by thread: Re: state of security hardening build flag efforts
Index(es):
- Date
- Thread