Re: Hardening patch
On Tue, Sep 13, 2011 at 07:56:41AM +0200, Guillem Jover wrote:
> On Sun, 2011-09-11 at 08:19:42 +0200, Raphael Hertzog wrote:
> > On Sun, 11 Sep 2011, Guillem Jover wrote:
> > > > + "bindnow" => 1
> > >
> > > Any reason you seem to have ignored the concerns I rised about
> > > defaulting to bindnow?
> >
> > Well, you mentioned potential performance problems and Kees said
> > that his tests did not conclude that it resulted in significant
> > performance loss. Kees has been doing the work, I trust him.
>
> I specifically asked on which arches he performed the tests. If he had
> said on armel too, then I'd not have any problem with that, but he
> didn't reply to that, so I don't see how this is a matter of trust,
> when there's just lack of information.
Ah, sorry about that; I didn't have access to hardware.
> I installed iceweasel on an ARM system (Thecus N2100), w/o X forwarding,
> and no user profile, so it just stops when it's not able to find the
> DISPLAY, but that should be good enough to get timings close to just the
> startup relocation times, which is what the ld.so stats show on amd64
> for example. Caches flushed on each iteration, which were pretty
> consistent, I've included two different ones for each:
Excellent, this is a good test. Thanks for doing this!
> real 0m2.279s
...
> real 0m3.255s
...
>
> As it can bee seen the difference is pretty significant.
Yeah, that's massive. I would totally agree -- remove bindnow from
defaults.
> I'm changing it now on my local tree, will be included in my next
> push.
Thanks! I'll include "+bindnow" in the documentation that was already going
to include "+pie" for maintainers that want to transition from
hardening-wrapper/-includes to dpkg-buildflags.
-Kees
--
Kees Cook @debian.org
Reply to: