1 |
On Thursday 20 October 2011 04:47:14 Paweł Hajdan, Jr. wrote: |
2 |
> I've noticed |
3 |
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e. |
4 |
> Debian is starting to make more and more hardening features default, at |
5 |
> least for most packages. |
6 |
|
7 |
seems a bit light on what actually is being used |
8 |
|
9 |
random thoughts: |
10 |
- we've long defaulted to linking with relro |
11 |
- defaulting to bindnow is pretty much a no go for USE=-hardened |
12 |
- building everything as PIC/PIE comes with performance penalty for some |
13 |
architectures (e.g. x86), and is often the source of build issues with the |
14 |
hardened port |
15 |
- we've long defaulted to building with _FORTIFY_SOURCE |
16 |
- i'd need to see actual overhead data with SSP to see about enabling it by |
17 |
default |
18 |
-mike |