Re: state of security hardening build flag efforts

To: Julien Cristau <jcristau@debian.org>
Cc: Kurt Roeckx <kurt@roeckx.be>, Kees Cook <kees@debian.org>, debian-devel@lists.debian.org
Subject: Re: state of security hardening build flag efforts
From: Raphael Hertzog <hertzog@debian.org>
Date: Sat, 7 Apr 2012 11:27:46 +0200
Message-id: <[🔎] 20120407092746.GA9796@rivendell.home.ouaza.com>
Mail-followup-to: Julien Cristau <jcristau@debian.org>, Kurt Roeckx <kurt@roeckx.be>, Kees Cook <kees@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 20120407083137.GG22243@radis.cristau.org>
References: <[🔎] 20120401074937.GJ8020@outflux.net> <[🔎] CAKTje6F-9v=rQ7_ki5GFtGNn9DsizSADZQwvh_jSC=C6XCnuXQ@mail.gmail.com> <[🔎] 20120401182941.GM8020@outflux.net> <[🔎] 20120407001721.GA26789@roeckx.be> <[🔎] 20120407083137.GG22243@radis.cristau.org>

Hi,

On Sat, 07 Apr 2012, Julien Cristau wrote:
> On Sat, Apr  7, 2012 at 02:17:21 +0200, Kurt Roeckx wrote:
> 
> > However, I wonder why bindnow isn't on by default.  I thought we had
> > a discussion about this, and didn't really see any negative
> > performance from that?
> 
> It makes stuff stop working.

I think you're mixing up with PIE.

The reason bindnow is disabled by default is performance:

commit 7af8fb2f01df10ffd65b733772fd3ef88f808cc3
Author: Guillem Jover <guillem@debian.org>
Date:   Tue Sep 13 08:47:58 2011 +0200

    dpkg-buildflags: Disable bind now by default
    
    This option has a startup performance hit on slow systems, particularly
    due to slow I/O, the effects of which cannot be reverted except for a
    rebuild. It might make sense for long running processes where the
    startup time is not that important, and the security improvements do
    actually matter. Another option is to set the environment variable
    LD_BIND_NOW=1 for the long running process, so that the sysadmin can
    disable it if desired.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/liberation/

Reply to:

Follow-Ups:
- Re: state of security hardening build flag efforts
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: state of security hardening build flag efforts
  - From: Julien Cristau <jcristau@debian.org>

References:
- state of security hardening build flag efforts
  - From: Kees Cook <kees@debian.org>
- Re: state of security hardening build flag efforts
  - From: Paul Wise <pabs@debian.org>
- Re: state of security hardening build flag efforts
  - From: Kees Cook <kees@debian.org>
- Re: state of security hardening build flag efforts
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: state of security hardening build flag efforts
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: Re: state of security hardening build flag efforts
Next by Date: Re: state of security hardening build flag efforts
Previous by thread: Re: state of security hardening build flag efforts
Next by thread: Re: state of security hardening build flag efforts
Index(es):
- Date
- Thread