[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: state of security hardening build flag efforts

On Sat, Apr 7, 2012 at 5:50 AM, Julien Cristau <jcristau@debian.org> wrote:
On Sat, Apr  7, 2012 at 11:27:46 +0200, Raphael Hertzog wrote:

> Hi,
> On Sat, 07 Apr 2012, Julien Cristau wrote:
> > On Sat, Apr  7, 2012 at 02:17:21 +0200, Kurt Roeckx wrote:
> >
> > > However, I wonder why bindnow isn't on by default.  I thought we had
> > > a discussion about this, and didn't really see any negative
> > > performance from that?
> >
> > It makes stuff stop working.
> I think you're mixing up with PIE.
No I'm not.  bindnow changes how e.g. dlopen works, so it breaks stuff
relying on RTLD_LAZY.  Like, say, your X server.

Here is where philosophy matters.  Yes, bindnow and pie can cause problems or slowdowns in certain (fortunately rare) cases.  Now, even though that is possible, that fact should not have any relevance on the choices for the defaults: on noticing that the flags have caused a problem, they can simply be disabled.  

For xorg, -pie,-bindnow certainly makes sense, but for the vast majority of other packages +all would be a far better default.

Best wishes,

Reply to: