On Wed, Apr 3, 2013 at 2:05 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday, April 03, 2013 01:48:17 PM Miloslav Trmač wrote:
> On Tue, Apr 2, 2013 at 9:57 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> > On Saturday, March 30, 2013 08:54:30 AM Dhiru Kholia wrote:
> > > "_hardened_build" rpm spec macro can be used to harden a
> > >
> > > For an example, see
> > > http://pkgs.fedoraproject.org/cgit/clamav.git/tree/clamav.spec
> > This flag is overly aggressive. We have a list of programs that need
> > enabled and doing more isn't necessarily constructive.
> Why exactly it "isn't necessarily constructive"? If you have hard
> please share :)
Because PIE is only supposed to be on long running apps and setuid apps. If
its on everything, it will slow the system down too much and then you have
knee jerk reaction to remove it from anything. We want it applied when
and otherwise not.
How much does it slow things down? I'm fairly certain you don't have any
good data on this point. Dhiru is working out how to best figure out FWIW.
I'm willing to agree that PIE on x86 is going to be very slow due to
register pressure. However, we should consider revisiting what we want
built as PIE. Is Firefox a long running process? It is on my system.
Revisiting our current list and trying to understand our needs is never a
bad thing to do. Existing architectures are different now than they were
when that list was created, no harm comes from talking about it.