On Mon, Jan 23, 2012 at 20:37, Diego Elio Pettenò <flamee...@gentoo.org>wrote: > > Stripping a compiled file of read permissions is quick, painless and > (mostly) safe from errors. Changing the way it is compiled.. not so > much. > > I'm not saying that it's not a good idea, but if we want to proceed with > this, there has to be someone who goes to look at all the packages and > corrects them. > > Right. It's a big ordeal. I'm *not* suggesting, however, that we automatically inject a CFLAG or something awful like that.
What I propose is just to *detect* at merge-time whether or not there are SUID binaries that are not PIE, and if so, spit out a Q&A warning. That way, package maintainers could fix things up bit by bit, without having to burden you alone with tinderbox troubles.
