On Tue, Sep 06, 2011 at 04:01:04PM +0000, The Fungi wrote: > On Mon, Sep 05, 2011 at 02:22:39PM -0700, Kees Cook wrote: > [...] > > It might be better to extend it further, like "all network daemons > > using dpkg-buildflags properly and enabling PIE" > [...] > > And since many network daemons are implemented in interpreted > languages, it might be nice to include packaged interpreters in the > list of candidates.
Yeah, that's a good idea. Ubuntu has a list of packages that were specifically called out to build with PIE (and as a result are well-tested by now): https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/BuiltPIE One task I haven't had time to do, related to interpreters, is to benchmark the python testsuite with PIE. A number of years ago, a 15% performance hit on i386 (due to so few general registers). I'd really like to see the numbers across all architectures. A future release goal, I think, would be to build all of amd64 (and any other archs that don't see a big hit) with PIE by default. Can someone step up to do this? -Kees -- Kees Cook @debian.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110908010758.gr31...@outflux.net
