Re: state of security hardening build flag efforts

To: debian-devel@lists.debian.org
Subject: Re: state of security hardening build flag efforts
From: Russ Allbery <rra@debian.org>
Date: Sat, 07 Apr 2012 06:21:23 -0700
Message-id: <[🔎] 87fwcfbru4.fsf@windlord.stanford.edu>
In-reply-to: <[🔎] CANTw=MOQKns_K5KfcSUB5diPgEFm83uA8HkuGWatvyF8CCXitw@mail.gmail.com> (Michael Gilbert's message of "Sat, 7 Apr 2012 08:18:12 -0400")
References: <[🔎] 20120401074937.GJ8020@outflux.net> <[🔎] CAKTje6F-9v=rQ7_ki5GFtGNn9DsizSADZQwvh_jSC=C6XCnuXQ@mail.gmail.com> <[🔎] 20120401182941.GM8020@outflux.net> <[🔎] 20120407001721.GA26789@roeckx.be> <[🔎] 20120407083137.GG22243@radis.cristau.org> <[🔎] 20120407092746.GA9796@rivendell.home.ouaza.com> <[🔎] 20120407095000.GH22243@radis.cristau.org> <[🔎] CANTw=MOQKns_K5KfcSUB5diPgEFm83uA8HkuGWatvyF8CCXitw@mail.gmail.com>

Michael Gilbert <mgilbert@debian.org> writes:

> Here is where philosophy matters.  Yes, bindnow and pie can cause
> problems or slowdowns in certain (fortunately rare) cases.  Now, even
> though that is possible, that fact should not have any relevance on the
> choices for the defaults: on noticing that the flags have caused a
> problem, they can simply be disabled.

> For xorg, -pie,-bindnow certainly makes sense, but for the vast majority
> of other packages +all would be a far better default.

+pie causes a fairly ordinary regular binary (gnubg) to die with a bus
error immediately upon execution.  If someone could figure out why and
whether it's a general class of problems or something peculiar to that
code, I'd be feeling more optimistic about enabling PIE more broadly.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: state of security hardening build flag efforts
  - From: Uoti Urpala <uoti.urpala@pp1.inet.fi>

References:
- state of security hardening build flag efforts
  - From: Kees Cook <kees@debian.org>
- Re: state of security hardening build flag efforts
  - From: Paul Wise <pabs@debian.org>
- Re: state of security hardening build flag efforts
  - From: Kees Cook <kees@debian.org>
- Re: state of security hardening build flag efforts
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: state of security hardening build flag efforts
  - From: Julien Cristau <jcristau@debian.org>
- Re: state of security hardening build flag efforts
  - From: Raphael Hertzog <hertzog@debian.org>
- Re: state of security hardening build flag efforts
  - From: Julien Cristau <jcristau@debian.org>
- Re: state of security hardening build flag efforts
  - From: Michael Gilbert <mgilbert@debian.org>

Prev by Date: Bug#626424: Join the number one adult dating site!t
Next by Date: Re: state of security hardening build flag efforts
Previous by thread: Re: state of security hardening build flag efforts
Next by thread: Re: state of security hardening build flag efforts
Index(es):
- Date
- Thread