1 |
On Thursday 26 January 2012 11:55:54 Jason A. Donenfeld wrote: |
2 |
> On Tue, Jan 24, 2012 at 06:58, Mike Frysinger <vapier@g.o> wrote: |
3 |
> > pedantically, PIE+ASLR makes it significantly harder to exploit, not |
4 |
> > impossible |
5 |
> > |
6 |
> > if we could get some general performance numbers that show non-PIE vs |
7 |
> > PIE, that'd help make the case for turning PIE on by default regardless |
8 |
> > of set*id. |
9 |
> |
10 |
> For starters, though, what about just pooping a Q&A warning for non-PIE |
11 |
> SUID? That way those packages could be fixed, and we'd have a little trial |
12 |
> to see how PIE behaves across different platforms. If that all goes well, |
13 |
> we bump up to default, but that's a far off discussion. |
14 |
|
15 |
a QA warning doesn't help anyone if we don't have documentation in place |
16 |
explaining to people how to do this cleanly |
17 |
-mike |