>Theo de Raadt wrote: >>Some other debugging toolkits get them too. To a large extent these >>come with almost no performance cost. > >Is there any special reason why there is no /etc/malloc.conf by >default (linking to, say, 'S') then?
Yes, there's a real good reason -- too much portable software breaks. The right level of mitigations are currently turned on. We are continually cranking the knob just a little bit more to turn on a few more. For example, a mechanims called PIE was just enabled system-wide on powerpc and i386. It was already enabled elsewhere. And we have just switched from the old 8-byte -fstack-protector heuristic to the new -fstack-protector-strong heuristic. It has taken more than 10 years to slowly ramp up the security migitations, generate soft pain, and thus push improvements up into the massive portable software base. Go look for my presentation in Russia.
