berta...@ptitcanardnoir.org wrote: > On Fri, Sep 23, 2011 at 11:53:36AM +0200, Marco d'Itri wrote: > > On Sep 23, Raphael Hertzog <hert...@debian.org> wrote: > > > > > Two hardening features are not enabled by default: PIE and bindnow. > > Why? > > I guess because they have more impact on performance than the others.
Hi, I think it would be better to enable all security-enhancing flags by default (at least all of the included ones so far, which are fairly well-tested). Yes, these two do have a larger potential to reduce performance, but its also sufficiently straightforward to add -pie,-bindnow to disable them. Thus, maintainers that do find performance issues after adding the flags, can easily solve the problem they've created. As it stands now being a non-default setting, most packages will end up not getting these protections, which I think is less desirable than having most fully protected and only a small subset with reduced protections. Best wishes, Mike -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110924171133.68c6c6af9e5cb45dc9fca...@gmail.com
