So everything in Rawhide must be compiled with -fPIC?

Reindl Harald h.reindl at
Fri Feb 20 17:26:47 UTC 2015

Am 20.02.2015 um 18:21 schrieb Peter Robinson:
>>> I've never argumented against the goal that web browser or all network aware
>>> services should be PIEs, after all, why would we (Ulrich Drepper and myself)
>>> add the PIE support into the toolchain otherwise?
>>> I'm just not convinced most of the unpriviledged programs should be PIEs.
>> Thanks to e.g. e-mail about any program can be made to run untrusted
>> data, e.g. PDF readers, office suites, image viewers, if you open an
>> attachment of the respective type. Therefore it makes a sane default
>> IMHO. It is also something to attract users that care about security
>> very much to Fedora.
> So your saying here that this is miraculously going to stop people
> from running random binaries that are being emailed to them?

nobody said that

but it may stop a otherwise successful exploit in the application 
opening the malicious attachment targeting a unknown or unfixed security 

> just going stop people from running random non PIC/PIE binaries? I
> don't buy that this is a miracle fix to that problem. How then does it
> affect other third party binaries not compiled with PIC/PIE that
> people might wish to run?

you can't fix and protect every binary on the world

but you can raise the bar for distribution packages
without PIC/PIE ASLR won't work

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the devel mailing list