[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: state of security hardening build flag efforts


On Sat, 07 Apr 2012, Julien Cristau wrote:
> On Sat, Apr  7, 2012 at 02:17:21 +0200, Kurt Roeckx wrote:
> > However, I wonder why bindnow isn't on by default.  I thought we had
> > a discussion about this, and didn't really see any negative
> > performance from that?
> It makes stuff stop working.

I think you're mixing up with PIE.

The reason bindnow is disabled by default is performance:

commit 7af8fb2f01df10ffd65b733772fd3ef88f808cc3
Author: Guillem Jover <guillem@debian.org>
Date:   Tue Sep 13 08:47:58 2011 +0200

    dpkg-buildflags: Disable bind now by default
    This option has a startup performance hit on slow systems, particularly
    due to slow I/O, the effects of which cannot be reverted except for a
    rebuild. It might make sense for long running processes where the
    startup time is not that important, and the security improvements do
    actually matter. Another option is to set the environment variable
    LD_BIND_NOW=1 for the long running process, so that the sysadmin can
    disable it if desired.

Raphaël Hertzog ◈ Debian Developer

Pre-order a copy of the Debian Administrator's Handbook and help
liberate it: http://debian-handbook.info/liberation/

Reply to: