Re: state of security hardening build flag efforts
Michael Gilbert <mgilbert@debian.org> writes:
> Here is where philosophy matters. Yes, bindnow and pie can cause
> problems or slowdowns in certain (fortunately rare) cases. Now, even
> though that is possible, that fact should not have any relevance on the
> choices for the defaults: on noticing that the flags have caused a
> problem, they can simply be disabled.
> For xorg, -pie,-bindnow certainly makes sense, but for the vast majority
> of other packages +all would be a far better default.
+pie causes a fairly ordinary regular binary (gnubg) to die with a bus
error immediately upon execution. If someone could figure out why and
whether it's a general class of problems or something peculiar to that
code, I'd be feeling more optimistic about enabling PIE more broadly.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: