On Mon, 2015-01-05 at 10:10 +0100, Marcus Meissner wrote:
Hi,
short: Marcus wants to enable PIE support globally.
long version: To make programs less affected by buffer overflows and similar exploits, one feature is "address space layout randomization" aka "ASLR".
Marcus, Thanks for taking this initiative! It's a great way to ensure we do the right things in the best possible approach.
Disadvantages of PIE: - There had been performance concerns, but these are mostly relevant for i586 due to low number of processor registers (and there like 5-10%). On other platforms but i586 there should be no performance decrease.
Do we want to address that performance issue on i586 (which openSUSE is still built for) by having the i586 not PIE enabled?
Methods I am currently thinking about: - Change the compiler directly to build PIE binaries by default (change in gcc) Binaries that do not want it, would need to use -no-pie / -fno-PIE
Advantage: - only some changes in .spec file where it is not wanted - would work for more than just the spec files using %configure or %cmake macros
That seems indeed like the one-fix-catch-it-all approach (almost,
packages using gold might still need to be touched)
Cheers and happy new year!
Dominique
--
Dimstar / Dominique Leuenberger