| 1 |
On Thursday 20 October 2011 04:47:14 Paweł Hajdan, Jr. wrote: |
| 2 |
> I've noticed |
| 3 |
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e. |
| 4 |
> Debian is starting to make more and more hardening features default, at |
| 5 |
> least for most packages. |
| 6 |
|
| 7 |
seems a bit light on what actually is being used |
| 8 |
|
| 9 |
random thoughts: |
| 10 |
- we've long defaulted to linking with relro |
| 11 |
- defaulting to bindnow is pretty much a no go for USE=-hardened |
| 12 |
- building everything as PIC/PIE comes with performance penalty for some |
| 13 |
architectures (e.g. x86), and is often the source of build issues with the |
| 14 |
hardened port |
| 15 |
- we've long defaulted to building with _FORTIFY_SOURCE |
| 16 |
- i'd need to see actual overhead data with SSP to see about enabling it by |
| 17 |
default |
| 18 |
-mike |
Archives