Re: state of security hardening build flag efforts
On Sat, Apr 07, 2012 at 11:27:46AM +0200, Raphael Hertzog wrote:
> On Sat, 07 Apr 2012, Julien Cristau wrote:
> > On Sat, Apr 7, 2012 at 02:17:21 +0200, Kurt Roeckx wrote:
> > > However, I wonder why bindnow isn't on by default. I thought we had
> > > a discussion about this, and didn't really see any negative
> > > performance from that?
> > It makes stuff stop working.
> I think you're mixing up with PIE.
> The reason bindnow is disabled by default is performance:
> commit 7af8fb2f01df10ffd65b733772fd3ef88f808cc3
> Author: Guillem Jover <email@example.com>
> Date: Tue Sep 13 08:47:58 2011 +0200
> dpkg-buildflags: Disable bind now by default
> This option has a startup performance hit on slow systems, particularly
> due to slow I/O, the effects of which cannot be reverted except for a
> rebuild. It might make sense for long running processes where the
> startup time is not that important, and the security improvements do
> actually matter. Another option is to set the environment variable
> LD_BIND_NOW=1 for the long running process, so that the sysadmin can
> disable it if desired.
I think I actually tested this on a slow system and had to come to
the conclusion that this wasn't the case, or like 1% slower or
something. But maybe we need more statistics for this?