Hi Florian, 2016-09-30 13:22 GMT+02:00 Florian Weimer <f...@deneb.enyo.de>: > * Niels Thykier: > >> As brought up on the meeting last night, I think we should try to go for >> PIE by default in Stretch on all release architectures! >> * It is a substantial hardening feature >> * Upstream has vastly reduced the performance penalty for x86 >> * The majority of all porters believe their release architecture is >> ready for it. >> * We have sufficient time to solve any issues or revert if it turns out >> to be too problematic. > > Do you think that PIE-by-default makes BIND_NOW-by-default > unnecessary?
I think the thread on debian-devel would be a better place to discuss that because more people could voice their opinion. > > (The argument is that with PIE, it is much more difficult to get a > controlled GOT write.) IMO defaulting to using bindnow to have readonly GOT is probably worth it for two reasons: 1. There may be new attacks in the coming years making finding GOT easier in PIE binaries. 2. On 32 bit systems PIE adds less entropy and using the same bindnow default on all architectures is . Cheers, Balint
