Note: Due to technical difficulties, the Archives are currently not up to date.
GMANE provides an alternative service for most mailing lists. c.f. bug 424647
torsdag 20 oktober 2011 13.17.33 skrev Mike Frysinger:
> On Thursday 20 October 2011 12:47:27 Rich Freeman wrote:
> > I was trying to draw a contrast between passive things like
> > stack-protection and things that really get in your face like MAC.
>
> the trouble was in the context quoting then ... it sounded like you were
> proposing PaX by default
>
> i am a fan of things that "just work" though which is why i was happy to
> merge the fortify source code. most of that checking is done at compile
> time, so the runtime overhead is generally small. and in terms of packages
> that did break, it was (more often than not) because they were broken
> already but we never noticed.
> -mike
Hi
Debian has start to add some hardened features but take a look at ubuntu
https://wiki.ubuntu.com/Security/Features
Adding ssp support to main would not be a problem for most package works with
it. We use same patch as ubuntu's toolchain to enable ssp, but we enable
-fstack-protector-all instead of -fstack-protector. You will, however, have
some performance penalty enabling it.
Adding PIE to main is much harder than ssp. On x86 it will have a high
performance penalty and a lot of trouble with asm code. The only arch I would
add PIE on is amd64 where it will have only a minor performance penalty and we
already have shared libs compile with PIC. The biggest problem we have with
PIE on amd64 is asm code in the apps where upstream is not that interested in
making the asm PIC aware. It hards to keep the patches up to date when they
are not maintained upstream.
There are about 30 packages which have problems with PIE. We either add patch
to these or else use filter-flags on them.
my 2c
/Magnus (Zorry)
|
|
