On Thu, 24 Dec 2009, Kees Cook wrote: > That's certainly a viable plan. This is kind of the approach we took in > Ubuntu for the PIE feature. We also considered packages with a less than > stellar security history. The list of packages built with PIE in Ubuntu > is: (see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE ) > > amavisd-new apache2 asterisk bind9 cups cyrus-sasl2 dhcp3 dovecot exim4
amavisd-new is perl, does that need PIE? Or do you mean the C utilities (which are not network services but on the other hand are not performance-sensitive anyway so might as well enable it just in case)? Anyway, I'd appreciate a bug report against amavisd-new with whatever information is pertinent about PIE, if you guys want us to add it to the package. > I couldn't agree more. See /usr/share/hardening-includes/hardening.make > for details, but a package trying to avoid the hardening flags could just > set DEB_BUILD_HARDENING=0 in debian/rules. Can we get a standard DEB_BUILD_OPTIONS while that is still possible? -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
