Re: Enabling PIE by default for Stretch

To: Niels Thykier <niels@thykier.net>
Cc: debian-release <debian-release@lists.debian.org>, Matthias Klose <doko@debian.org>, DSA <debian-admin@lists.debian.org>, Debian Security Team <team@security.debian.org>, Bálint Réczey <balint@balintreczey.hu>
Subject: Re: Enabling PIE by default for Stretch
From: Florian Weimer <fw@deneb.enyo.de>
Date: Fri, 30 Sep 2016 13:22:11 +0200
Message-id: <[🔎] 87a8ep63a4.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 521f46e9-0a3b-fce2-86f9-b4008aadb541@thykier.net> (Niels Thykier's message of "Thu, 29 Sep 2016 19:39:00 +0000")
References: <[🔎] 521f46e9-0a3b-fce2-86f9-b4008aadb541@thykier.net>

* Niels Thykier:

> As brought up on the meeting last night, I think we should try to go for
> PIE by default in Stretch on all release architectures!
>  * It is a substantial hardening feature
>  * Upstream has vastly reduced the performance penalty for x86
>  * The majority of all porters believe their release architecture is
>    ready for it.
>  * We have sufficient time to solve any issues or revert if it turns out
>    to be too problematic.

Do you think that PIE-by-default makes BIND_NOW-by-default
unnecessary?

(The argument is that with PIE, it is much more difficult to get a
controlled GOT write.)

Reply to:

Follow-Ups:
- Re: Enabling PIE by default for Stretch
  - From: Niels Thykier <niels@thykier.net>
- Re: Enabling PIE by default for Stretch
  - From: Bálint Réczey <balint@balintreczey.hu>

References:
- Enabling PIE by default for Stretch
  - From: Niels Thykier <niels@thykier.net>

Prev by Date: Re: Porter roll call for Debian Stretch
Next by Date: Re: Porter roll call for Debian Stretch
Previous by thread: Enabling PIE by default for Stretch
Next by thread: Re: Enabling PIE by default for Stretch
Index(es):
- Date
- Thread