[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: state of security hardening build flag efforts

Michael Gilbert <mgilbert@debian.org> writes:

> Here is where philosophy matters.  Yes, bindnow and pie can cause
> problems or slowdowns in certain (fortunately rare) cases.  Now, even
> though that is possible, that fact should not have any relevance on the
> choices for the defaults: on noticing that the flags have caused a
> problem, they can simply be disabled.

> For xorg, -pie,-bindnow certainly makes sense, but for the vast majority
> of other packages +all would be a far better default.

+pie causes a fairly ordinary regular binary (gnubg) to die with a bus
error immediately upon execution.  If someone could figure out why and
whether it's a general class of problems or something peculiar to that
code, I'd be feeling more optimistic about enabling PIE more broadly.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: