On Tue, May 19, 2015 at 06:01:07PM +0200, Michael Matz wrote: > Hi, > > On Tue, 19 May 2015, Jeff Law wrote: > > > > > Forget lazy binding. It's dead anyway because serious distros want > > > > PIE+relro+bindnow+... > > > > > > You keep saying this, but I can't help the feeling it's mostly because > > > musl doesn't support it ;-) > > > > FWIW, Red Hat is pushing PIE & partial RELRO deeper and deeper into the > > distribution. > > Yeah, us as well, though I don't necessarily see the point for most > packages; feels a bit like a checkmark item :)
These days it's fairly rare to have software which does not interact at all with untrusted data. Consider how much user-facing application software that was not previously considered security-critical is making network connections using complex protocols (e.g. anything with TLS, IM protocols, ...), opening image files from random sources (attachments, files that happen to be in a browsed-to directory, on USB sticks, etc.), and so on. I think it's smart to be hardening everything, at least for distros providing all sorts of random unvetted software. Rich
