https://fedorahosted.org/fpc/ticket/144
The guidelines currently read:
... If your package meets the following critera you should consider enabling the PIE compiler flags:
Your package is long running. This means it's likely to be started and keep running until the machine is rebooted, not start on demand and quit on idle.
Your package has suid binaries, or binaries with capabilities.
Your package runs as root.
Your package accepts/processes untrusted input. ...
I'd like to change this from 'should' to 'must'. I do not believe there are convincing performance reasons that we have found that would require not using it for packages that fit this criteria. The only concern would be programs that don't work as PIE ... those can be treated as exceptions.
Comments?
Bill
packaging@lists.fedoraproject.org