Re: state of security hardening build flag efforts
On Sat, 07 Apr 2012, Julien Cristau wrote:
> On Sat, Apr 7, 2012 at 02:17:21 +0200, Kurt Roeckx wrote:
> > However, I wonder why bindnow isn't on by default. I thought we had
> > a discussion about this, and didn't really see any negative
> > performance from that?
> It makes stuff stop working.
I think you're mixing up with PIE.
The reason bindnow is disabled by default is performance:
Author: Guillem Jover <email@example.com>
Date: Tue Sep 13 08:47:58 2011 +0200
dpkg-buildflags: Disable bind now by default
This option has a startup performance hit on slow systems, particularly
due to slow I/O, the effects of which cannot be reverted except for a
rebuild. It might make sense for long running processes where the
startup time is not that important, and the security improvements do
actually matter. Another option is to set the environment variable
LD_BIND_NOW=1 for the long running process, so that the sysadmin can
disable it if desired.
Raphaël Hertzog ◈ Debian Developer
Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/liberation/