F22 System Wide Change: Harden all packages with position-independent code

Reindl Harald h.reindl at thelounge.net
Thu Jan 8 23:29:21 UTC 2015 

Am 09.01.2015 um 00:16 schrieb Dennis Gilmore:
> On Thu, 08 Jan 2015 20:25:36 +0100
> Reindl Harald <h.reindl at thelounge.net> wrote:
>>
>> Am 08.01.2015 um 19:45 schrieb Miloslav Trmač:
>>>> = Proposed System Wide Change: Harden all packages with
>>>> position-independent code =
>>>>
>>>> Harden all packages with position-independent code to limit the
>>>> damage from certain security vulnerabilities.
>>>
>>> So this proposal is for _all_ architectures, including the
>>> register-starved 32-bit i?86 where the overhead is, IIRC, around
>>> 10%.  I am by now quite convinced that x86_64 should be using PIE
>>> by default.  As for 32-bit, I’m torn between “this is too much
>>> overhead” and “32-bit isn’t worth the worry, let’s instead make the
>>> defaults consistent.”
>>
>> probably not worth the worry, new machines are x86_64 mostly, keep in
>> mind RHEL7 dropped i686 at all
>>
>> even if they are still used - 10% sounds much *but* such old machines
>> mostly have a special task and are far away from noticeable load and
>> it really depends on the workload if you even notice 20% performance
>> drop
>>
>> at least i doubt there is a noticeable userbase with i686 running
>> Fedora at all *and* would notice the drop noticeable
>
> all of the OLPC XO 1.0 and 1.5 devices are running i686 fedora, that
> userbase is in the millions, but would they notice  the performance
> drop I do not know.

that would be the main question and how large is the real impact besides 
syntetic benchmarks - thats partly the same as for how fast your machine 
boots - how often does it boot a day and the same for starting 
applications when consider caching

a benchmark is nice to compare and get a picture but it practically 
never reflects the typical workload of a human (let us ignore FPS and 
games at that point)

> It would be interesting to see how performance was impacted on 32 bit
> arm

given that this thread made clear most mobile operating systems enforce 
full PIE/PIC and most are running ARM on 32 bit i'd say if we have a 
much larger problem if that's a showstopper for Fedora

however, numbers and *real human testing* would be interesting too

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150109/4fff0fc1/attachment.sig>

More information about the devel mailing list