Expanding the list of "Hardened Packages"
Reindl Harald
h.reindl at thelounge.net
Tue Apr 2 23:53:27 UTC 2013
Am 03.04.2013 01:50, schrieb John Reiser:
>> It does rather seem like we should consider just killing it [prelink], at least by default.
>
> Prelinking shortens the time between execve() and first useful output
in theory
> A prelinked module reduces time spent in ld-linux, and increases sharing
> of pages (which reduces time spent in kernel duplicating copy-on-write pages.)
> The savings are *visible* when invoking an interactive GUI program that has
> dozens of shared libraries, or when several hundred smaller executables
> are invoked each second, such as some 'make' clouds, etc.
not noticeable compared with the security flaws
> Some systems want those savings, and are willing to pay with slightly
> less protection via reduced ASLR.
then THIS SYSTEMS shoudk install prelink
but not install it AS DEFAULT
> Some administrators compensate
> by running a full prelink daily, and a partial prelink of "hot" modules
> (glibc, ...) a few times during the day, even as often as hourly;
> and with parameters to reduce interference with modules which are
> not being [re-]prelinked during the current run
fine they should do what they want
but as DEFAULT anything which beats ASLR is UNACCEPTABLE these days
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130403/42f4b0b5/attachment.sig>
More information about the devel
mailing list