The following commit has been merged in the master branch:
commit 7af8fb2f01df10ffd65b733772fd3ef88f808cc3
Author: Guillem Jover <[email protected]>
Date: Tue Sep 13 08:47:58 2011 +0200
dpkg-buildflags: Disable bind now by default
This option has a startup performance hit on slow systems, particularly
due to slow I/O, the effects of which cannot be reverted except for a
rebuild. It might make sense for long running processes where the
startup time is not that important, and the security improvements do
actually matter. Another option is to set the environment variable
LD_BIND_NOW=1 for the long running process, so that the sysadmin can
disable it if desired.
diff --git a/man/dpkg-buildflags.1 b/man/dpkg-buildflags.1
index 7427f54..d469751 100644
--- a/man/dpkg-buildflags.1
+++ b/man/dpkg-buildflags.1
@@ -1,4 +1,4 @@
-.TH dpkg\-buildflags 1 "2011-09-09" "Debian Project" "dpkg suite"
+.TH dpkg\-buildflags 1 "2011-09-13" "Debian Project" "dpkg suite"
.SH NAME
dpkg\-buildflags \- returns build flags to use during package build
.
@@ -235,7 +235,7 @@ notably this prevents GOT overwrite attacks.
.
.TP
.B bindnow
-This setting (enabled by default) adds
+This setting (disabled by default) adds
.B \-Wl,\-z,now
to \fBLDFLAGS\fP. During program load, all dynamic symbols are resolved,
allowing for the entire PLT to be marked read-only (due to \fBrelro\fP
diff --git a/scripts/Dpkg/Vendor/Debian.pm b/scripts/Dpkg/Vendor/Debian.pm
index 54f406c..c34f4b8 100644
--- a/scripts/Dpkg/Vendor/Debian.pm
+++ b/scripts/Dpkg/Vendor/Debian.pm
@@ -90,7 +90,7 @@ sub add_hardening_flags {
"fortify" => 1,
"format" => 1,
"relro" => 1,
- "bindnow" => 1
+ "bindnow" => 0
);
my $opts = Dpkg::BuildOptions->new(envvar => "DEB_BUILD_MAINT_OPTIONS");
foreach my $feature (split(",", $opts->get("hardening") // "")) {
--
dpkg's main repository
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
