> That said, even on x86_64 it isn't anything close to no overhead. > Tried last night to rebuild GCC's cc1plus as -fpie -pie, and then > rebuild stage3 of GCC with make -j1 separately with the original stage3 > cc1plus (ET_EXEC binary) and PIE cc1plus (ET_DYN). The build (which > included still time for various other tools being not PIE, make, ld, as) > got 2.1% slower user time.
Thanks, this would probably be the first significant example of a really affected program: ( https://fedorahosted.org/fesco/ticket/1113#comment:9 ) 1. Built in the distribution 2. CPU-bound (or CPU-limited in the primary performance metric) 3. Not required use PIE already (= not running as root, not a daemon) 4. (added): Not having the CPU-bound part in a shared library, like firefox or libreoffice¹ do. How many other such programs are there? If all we are talking about is increased program build times, that is IMHO _well_ worth the security mitigations. Mirek ¹ (Both Firefox and LibreOffice are disqualified through 3. anyway.) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
