[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: state of security hardening build flag efforts



On Sat, Apr 07, 2012 at 11:27:46AM +0200, Raphael Hertzog wrote:
> Hi,
> 
> On Sat, 07 Apr 2012, Julien Cristau wrote:
> > On Sat, Apr  7, 2012 at 02:17:21 +0200, Kurt Roeckx wrote:
> > 
> > > However, I wonder why bindnow isn't on by default.  I thought we had
> > > a discussion about this, and didn't really see any negative
> > > performance from that?
> > 
> > It makes stuff stop working.
> 
> I think you're mixing up with PIE.
> 
> The reason bindnow is disabled by default is performance:
> 
> commit 7af8fb2f01df10ffd65b733772fd3ef88f808cc3
> Author: Guillem Jover <guillem@debian.org>
> Date:   Tue Sep 13 08:47:58 2011 +0200
> 
>     dpkg-buildflags: Disable bind now by default
>     
>     This option has a startup performance hit on slow systems, particularly
>     due to slow I/O, the effects of which cannot be reverted except for a
>     rebuild. It might make sense for long running processes where the
>     startup time is not that important, and the security improvements do
>     actually matter. Another option is to set the environment variable
>     LD_BIND_NOW=1 for the long running process, so that the sysadmin can
>     disable it if desired.

I think I actually tested this on a slow system and had to come to
the conclusion that this wasn't the case, or like 1% slower or
something.  But maybe we need more statistics for this?


Kurt


Reply to: