torsdag 20 oktober 2011 13.17.33 skrev Mike Frysinger: > On Thursday 20 October 2011 12:47:27 Rich Freeman wrote: > > I was trying to draw a contrast between passive things like > > stack-protection and things that really get in your face like MAC. > > the trouble was in the context quoting then ... it sounded like you were > proposing PaX by default > > i am a fan of things that "just work" though which is why i was happy to > merge the fortify source code. most of that checking is done at compile > time, so the runtime overhead is generally small. and in terms of packages > that did break, it was (more often than not) because they were broken > already but we never noticed. > -mike
Hi Debian has start to add some hardened features but take a look at ubuntu https://wiki.ubuntu.com/Security/Features Adding ssp support to main would not be a problem for most package works with it. We use same patch as ubuntu's toolchain to enable ssp, but we enable -fstack-protector-all instead of -fstack-protector. You will, however, have some performance penalty enabling it. Adding PIE to main is much harder than ssp. On x86 it will have a high performance penalty and a lot of trouble with asm code. The only arch I would add PIE on is amd64 where it will have only a minor performance penalty and we already have shared libs compile with PIC. The biggest problem we have with PIE on amd64 is asm code in the apps where upstream is not that interested in making the asm PIC aware. It hards to keep the patches up to date when they are not maintained upstream. There are about 30 packages which have problems with PIE. We either add patch to these or else use filter-flags on them. my 2c /Magnus (Zorry)
